| From: | Jordan Gigov <coladict(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Enhansement proposal: ordering by parameter |
| Date: | 2016-07-20 11:34:06 |
| Message-ID: | CA+nBocB1Auc_eqOZLtoXNoXGbQ43W_ahDuTm6Dz8REfu6ig4Sw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Just about every web developer encounters scenarios where they need to let
the user sort the results by the column they choose and that leads to
dangers of possible SQL injection, but also the loss of prepared statement
caching and optimizations (at least under Java with JPA). I have tried
using numeric parameters in the ORDER BY expression, but they have no
effect (last tested under 9.3). What if we make it so that they can take
numeric parameters?
I realize that might cut the query planner's optimizations short, when
used, but it's would provide your users with additional security. After
that the problem remains the direction of the ordering, since that one is
keyword literals, but keeping just two string constants with the queries
for ascending and descending is better than creating new strings every time
depending on the column used or keeping 14 versions of the same query.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Travers | 2016-07-20 11:56:43 | Re: Enhansement proposal: ordering by parameter |
| Previous Message | Eugenio Trumpy | 2016-07-20 07:33:00 | crosstab issue |