| From: | Mike Mascari <mascarm(at)mascari(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Is this a bug, possible security hole, or wrong |
| Date: | 2002-06-13 14:05:54 |
| Message-ID: | 3D08A6C2.67679A9E@mascari.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
I wrote:
>
> Tom Lane wrote:
> >
> > You're essentially asking for a guarantee about the order of evaluation
> > of WHERE clauses. There is no such guarantee, and won't be because it
> > would be a crippling blow to performance.
>
> It seems to me that the condition which must be satisfied is this:
>
> If the attribute of a view is used in a user-defined function, then the
> conditional expressions associated with the WHERE condition of the view
> *must* be evaluated before the user-defined function is called (if
> ever). That would not limit the use of an index scan in the above
> example. Other RDBMS allow for both server-side functions and the use of
> views for security.
I apologize. The pg_stat_activity view is a good example of using views
atop functions to provide security. Its not exactly obvious, but it can
be done. And with the SRFs coming, I suppose fixing views is a pretty
low priority...
Mike Mascari
mascarm(at)mascari(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Randal L. Schwartz | 2002-06-13 15:04:09 | Once again, nntp://news.postgresql.org is down |
| Previous Message | Thomas Lockhart | 2002-06-13 13:51:35 | Re: automatic time zone conversion |