Skip site navigation (1) Skip section navigation (2)

Re: Geoserver-PostGIS performance problems

From: Maciek Sakrejda <m(dot)sakrejda(at)gmail(dot)com>
To: Rural Hunter <ruralhunter(at)gmail(dot)com>
Cc: pgsql-performance(at)postgresql(dot)org
Subject: Re: Geoserver-PostGIS performance problems
Date: 2012-07-26 06:51:33
Message-ID: CAOtHd0A8A5h-baTQ44OnVg7215BV6XPj_74ihHew9Jz7yNEUrg@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-performance
On Wed, Jul 25, 2012 at 7:13 PM, Rural Hunter <ruralhunter(at)gmail(dot)com> wrote:
> Why not just use simple Statement instead of PreparedStatement and construct
> the SQL with concated string or StringBuilder? like this:
> int col1=xxx;
> String col2="xxxx";
> String sql="select * from table where col1="+col+" and col2='"+col2+"'";

Ah, finally get to apply the old there's-an-xkcd-for-that rule here:
http://xkcd.com/327/

Or, more informatively: http://en.wikipedia.org/wiki/SQL_injection

Note that it's not completely crazy (in fact, the JDBC driver used to
this this forever ago): if you know what you're doing, you *can*
safely escape strings and avoid injection. But it's not for the faint
of heart.

Also, if you control the parameters and can verify that escaping is
not (and will never be) necessary over the domain of their possible
values, that's another option.

But in general, it's safer to let drivers worry about this.

In response to

pgsql-performance by date

Next:From: Merlin MoncureDate: 2012-07-26 13:32:21
Subject: Re: Geoserver-PostGIS performance problems
Previous:From: Maciek SakrejdaDate: 2012-07-26 06:34:17
Subject: Re: Geoserver-PostGIS performance problems

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group