| From: | PFC <lists(at)peufeu(dot)com> |
|---|---|
| To: | "Hannu Krosing" <hannu(at)krosing(dot)net>, "Aidan Van Dyk" <aidan(at)highrise(dot)ca> |
| Cc: | "Gregory Stark" <stark(at)enterprisedb(dot)com>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Tom Dunstan" <pgsql(at)tomd(dot)cc>, "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-30 10:55:06 |
| Message-ID: | op.uae694f6cigqcu@apollo13.peufeu.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> Could we also get a mode, where PREPARE would only be allowed for
> queries of the form "SELECT * FROM func(?,?,?,?,?); :)
Actually, that is similar to the concept of "global prepared statements"
that I proposed some time ago, but I will not have time to write the
patch, alas...
Idea was that the DBA can create a list of SQL statements (with
privileges about who can execute them, just like functions) which are
prepared on-demand at the first EXECUTE by the client.
This would enhance performance (but for performance I like the idea of
caching plans better).
It would be pretty cumbersome, though, to execute dynamic SQL like the
typical search query...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Mueller | 2008-04-30 12:42:51 | Re: Protection from SQL injection |
| Previous Message | KaiGai Kohei | 2008-04-30 09:01:57 | Re: [0/4] Proposal of SE-PostgreSQL patches |