| From: | "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com> |
|---|---|
| To: | Yonatan Ben-Nes <da(at)canaan(dot)co(dot)il> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection |
| Date: | 2005-11-01 22:07:30 |
| Message-ID: | 20051101220730.GK20349@pervasive.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Nov 01, 2005 at 11:31:36PM +0200, Yonatan Ben-Nes wrote:
> Jim C. Nasby wrote:
> >Yes, when you start getting into dynamically generated SQL you quickly
> >loose the performance benefit of prepared statements just because odds
> >are good that nothing else will use it. But you still have the benefit
> >of bound parameters and protection from injection.
>
> My problem with the dynamically generated SQL is that I'll have to
> create and maintain lots of prepared statements and be sure that I dont
> miss any available option, and also every time that ill have to do basic
> changes at the queries I'll have to update each one of those prepared
> statements.... it seems to me like of extra work for sites which can
> create many dynamic queries.
So don't maintain them. Just re-plan every time. My point is using bound
parameters to protect against injection.
As for the sub-optimal planning, I don't think that's normally an issue
unless your data distribution is uneven.
--
Jim C. Nasby, Sr. Engineering Consultant jnasby(at)pervasive(dot)com
Pervasive Software http://pervasive.com work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim C. Nasby | 2005-11-01 22:11:10 | Re: SQL injection |
| Previous Message | Martijn van Oosterhout | 2005-11-01 22:00:26 | Re: SQL injection |