| From: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Cc: | Jan Wieck <JanWieck(at)yahoo(dot)com>, Merlin Moncure <mmoncure(at)gmail(dot)com>, "howachen(at)gmail(dot)com" <howachen(at)gmail(dot)com> |
| Subject: | Re: pgsql vs mysql |
| Date: | 2006-07-11 16:42:59 |
| Message-ID: | 200607110943.00281.jd@commandprompt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> The multiple insert stuff is not only non-standard, it also encourages
> the bad practice of using literal values directly in the SQL string
> versus prepared statements with place holders. It is bad practice
> because it introduces SQL injection risks since the responsibility of
> literal value escaping is with the application instead of the driver.
It is also something that users are clammoring for (and my customers). To
the point that I have customers using unions to emulate the behavior. Why?
Because it is really, really fast.
Joshua D. Drake
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-07-11 17:03:47 | Re: encoding bug or feature? |
| Previous Message | Jan Wieck | 2006-07-11 16:04:07 | Re: pgsql vs mysql |