| From: | "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com> |
|---|---|
| To: | Yonatan Ben-Nes <da(at)canaan(dot)co(dot)il> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection |
| Date: | 2005-11-01 18:53:25 |
| Message-ID: | 20051101185325.GE20349@pervasive.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Nov 01, 2005 at 08:27:21PM +0200, Yonatan Ben-Nes wrote:
> Won't that create a performance penalty to extremly dynamic sites cause
> the plan will be planned only once and the data may vary alot?
> Beside that I still won't have a solution to places where I create a
> query which can vary alot (JOIN diffrent tables, diffrent WHERE etc...),
> it doesn't seem logical to me to start and create all of the diffrent
> possibilites of queries when I create such an option at a site.
Yes, when you start getting into dynamically generated SQL you quickly
loose the performance benefit of prepared statements just because odds
are good that nothing else will use it. But you still have the benefit
of bound parameters and protection from injection.
--
Jim C. Nasby, Sr. Engineering Consultant jnasby(at)pervasive(dot)com
Pervasive Software http://pervasive.com work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dan Sugalski | 2005-11-01 19:53:17 | Re: SQL injection |
| Previous Message | Yonatan Ben-Nes | 2005-11-01 18:27:21 | Re: SQL injection |