Skip site navigation (1) Skip section navigation (2)

Re: partial indexes not used on parameterized queries?

From: Christian Kratzer <ck(at)cksoft(dot)de>
To: Dirk Lutzebäck <lutzeb(at)aeccom(dot)com>
Cc: Simon Riggs <simon(at)2ndquadrant(dot)com>, pgsql-bugs(at)postgresql(dot)org,Sven Geisler <sgeisler(at)aeccom(dot)com>
Subject: Re: partial indexes not used on parameterized queries?
Date: 2006-07-10 12:00:30
Message-ID: 20060710135412.Q75750@vesihiisi.cksoft.de (view raw or flat)
Thread:
Lists: pgsql-bugs
Hi,

On Mon, 10 Jul 2006, [UTF-8] Dirk Lutzebäck wrote:

> Hi Simon,
>
> are you sure this has not been changed? I'm pretty sure my code worked a 
> while ago. We are using Perl DBD::Pg on the client side and almost never pass 
> parameters inside the SQL string for security reasons. I can't say if it 
> broke from 8.0 -> 8.1 for us or in one of the minor 8.1 releases.

DBD::Pg only recently started preparing queries in the server.

Older versions of DBD::Pg simulated prepared statements behind the
scenes so your postgresql server got to plan every query individually.

You might want to switch of server side prepares for your specific 
query and see if that helps.  See the description of the pg_server_prepare
in the DBD::Pg manpage on how to go about this.

> In any case I would see this as a security problem because you cannot control 
> sql code injection easily (as with using DBD::Pg) if you have to pass 
> parameters in the SQL string to use partial indexes.

I hope you are not relying on prepared statements as your only
defense against sql code injection.

Greetings
Christian

-- 
Christian Kratzer                       ck(at)cksoft(dot)de
CK Software GmbH                        http://www.cksoft.de/
Phone: +49 7452 889 135                 Fax: +49 7452 889 136

In response to

pgsql-bugs by date

Next:From: Simon RiggsDate: 2006-07-10 12:29:37
Subject: Re: partial indexes not used on parameterized queries?
Previous:From: Dirk LutzebäckDate: 2006-07-10 11:35:40
Subject: Re: partial indexes not used on parameterized queries?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group