Re: Is passing a list as a bound variable safe from SQL injection?
| От | W. Matthew Wilson |
|---|---|
| Тема | Re: Is passing a list as a bound variable safe from SQL injection? |
| Дата | |
| Msg-id | CAGHfCUDMq1uAstus-6qgjt3df45G9smGmqWZn4caWMXEXTfDfw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Is passing a list as a bound variable safe from SQL injection? (Daniele Varrazzo <daniele.varrazzo@gmail.com>) |
| Ответы |
Re: Is passing a list as a bound variable safe from SQL
injection?
|
| Список | psycopg |
On Wed, Oct 2, 2013 at 12:17 PM, Daniele Varrazzo <daniele.varrazzo@gmail.com> wrote:
What other approach? Not using IN: the IN operator is converted to "=any(array)" by the postgres parser:
=# explain select * from x where id in (1,2,3,4,5);
QUERY PLAN
------------------------------------------------------------
Seq Scan on x (cost=0.00..6.58 rows=5 width=51)
Filter: (id = ANY ('{1,2,3,4,5}'::integer[]))
It is true that this can be very inefficient for long lists, I've
experimented it myself several times, but it's not something you can
change at driver level: creating a temp table to join on can be faster
even for not very long lists.
-- Daniele
This is the approach (and it does involve very long lists):
http://www.datadoghq.com/2013/08/100x-faster-postgres-performance-by-changing-1-line/
Instead of writing = any(array[1,2,3,4]), they wrote = any(values (1), (2), (3), (4), )
and somehow that works more quickly.
Would it be possible to make a python list subclass that converts itself to "values ( ... )" rather than to "array[ ... ]"? I imagine that this might be useful for these gigantic lists.
Matt
В списке psycopg по дате отправления: