From: | Christian Kratzer <ck(at)cksoft(dot)de> |
---|---|
To: | Dirk Lutzebäck <lutzeb(at)aeccom(dot)com> |
Cc: | Simon Riggs <simon(at)2ndquadrant(dot)com>, pgsql-bugs(at)postgresql(dot)org, Sven Geisler <sgeisler(at)aeccom(dot)com> |
Subject: | Re: partial indexes not used on parameterized queries? |
Date: | 2006-07-10 12:00:30 |
Message-ID: | 20060710135412.Q75750@vesihiisi.cksoft.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Hi,
On Mon, 10 Jul 2006, [UTF-8] Dirk Lutzebäck wrote:
> Hi Simon,
>
> are you sure this has not been changed? I'm pretty sure my code worked a
> while ago. We are using Perl DBD::Pg on the client side and almost never pass
> parameters inside the SQL string for security reasons. I can't say if it
> broke from 8.0 -> 8.1 for us or in one of the minor 8.1 releases.
DBD::Pg only recently started preparing queries in the server.
Older versions of DBD::Pg simulated prepared statements behind the
scenes so your postgresql server got to plan every query individually.
You might want to switch of server side prepares for your specific
query and see if that helps. See the description of the pg_server_prepare
in the DBD::Pg manpage on how to go about this.
> In any case I would see this as a security problem because you cannot control
> sql code injection easily (as with using DBD::Pg) if you have to pass
> parameters in the SQL string to use partial indexes.
I hope you are not relying on prepared statements as your only
defense against sql code injection.
Greetings
Christian
--
Christian Kratzer ck(at)cksoft(dot)de
CK Software GmbH http://www.cksoft.de/
Phone: +49 7452 889 135 Fax: +49 7452 889 136
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2006-07-10 12:29:37 | Re: partial indexes not used on parameterized queries? |
Previous Message | Dirk Lutzebäck | 2006-07-10 11:35:40 | Re: partial indexes not used on parameterized queries? |