Re: partial indexes not used on parameterized queries?
| От | Christian Kratzer |
|---|---|
| Тема | Re: partial indexes not used on parameterized queries? |
| Дата | |
| Msg-id | 20060710135412.Q75750@vesihiisi.cksoft.de обсуждение исходный текст |
| Ответ на | Re: partial indexes not used on parameterized queries? (Dirk Lutzebäck <lutzeb@aeccom.com>) |
| Список | pgsql-bugs |
Hi, On Mon, 10 Jul 2006, [UTF-8] Dirk Lutzeb=E4ck wrote: > Hi Simon, > > are you sure this has not been changed? I'm pretty sure my code worked a= =20 > while ago. We are using Perl DBD::Pg on the client side and almost never = pass=20 > parameters inside the SQL string for security reasons. I can't say if it= =20 > broke from 8.0 -> 8.1 for us or in one of the minor 8.1 releases. DBD::Pg only recently started preparing queries in the server. Older versions of DBD::Pg simulated prepared statements behind the scenes so your postgresql server got to plan every query individually. You might want to switch of server side prepares for your specific=20 query and see if that helps. See the description of the pg_server_prepare in the DBD::Pg manpage on how to go about this. > In any case I would see this as a security problem because you cannot con= trol=20 > sql code injection easily (as with using DBD::Pg) if you have to pass=20 > parameters in the SQL string to use partial indexes. I hope you are not relying on prepared statements as your only defense against sql code injection. Greetings Christian --=20 Christian Kratzer ck@cksoft.de CK Software GmbH http://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136
В списке pgsql-bugs по дате отправления: