| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Scott Carey <scott(at)richrelevance(dot)com> |
| Cc: | bricklen <bricklen(at)gmail(dot)com>, Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com>, Merlin Moncure <mmoncure(at)gmail(dot)com>, "pgsql-performance(at)postgresql(dot)org" <pgsql-performance(at)postgresql(dot)org> |
| Subject: | Re: Poor plan choice in prepared statement |
| Date: | 2008-12-30 23:02:29 |
| Message-ID: | 2796.1230678149@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-performance |
Scott Carey <scott(at)richrelevance(dot)com> writes:
> I have also had a case where one query would take a couple hundred ms to parse, but was fairly fast to plan and execute (1/3 the parse cost) -- yet another case where a prepared statement that re-plans each execution would be helpful. At least you can prevent SQL injection and cut the parse cost. Its not all about the cost of planning the query.
The point of a prepared statement IMHO is to do the planning only once.
There's necessarily a tradeoff between that and having a plan that's
perfectly adapted to specific parameter values.
Reasonable client-side APIs should provide the option to use out-of-line
parameters, which is what you want to prevent SQL injection, without
hard-wiring that to the orthogonal concept of statements whose plan is
prepared in advance. In libpq, for instance, PQexecParams() does that.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | bricklen | 2008-12-30 23:11:47 | Re: Poor plan choice in prepared statement |
| Previous Message | bricklen | 2008-12-30 21:40:26 | Re: Poor plan choice in prepared statement |