| From: | Alexander Stanier <alexander(dot)stanier(at)egsgroup(dot)com> |
|---|---|
| To: | Maciek Sakrejda <m(dot)sakrejda(at)gmail(dot)com> |
| Cc: | Dave Cramer <pg(at)fastcrypt(dot)com>, pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: Change in Log Format and Prepared Statements |
| Date: | 2012-09-17 06:58:21 |
| Message-ID: | 5056CA0D.7090109@egsgroup.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Helvetica, Arial, sans-serif">Thanks
Maciek for your advice which I will pass back to our Java
developers. We are using a combination of Torque and Hibernate
to access the database via jdbc. I think Hibernate passes
parameters as you suggest but Torque doesn't. We are slowly
moving away from Torque to Hibernate.<br>
<br>
Do you know if there is any documentation on the "unnamed
variant" of prepared statements? I've read the pages on PREPARE
and EXECUTE but they don't go into much depth about what happens
in the background.<br>
<br>
Alex Stanier.<br>
<br>
</font></font>
<div class="moz-cite-prefix">On 13/09/2012 21:12, Maciek Sakrejda
wrote:<br>
</div>
<blockquote
cite="mid:CAOtHd0Df2_L=k+OxpWgNXso2w298V=D1GY7RDfwczTta=WjaJg(at)mail(dot)gmail(dot)com"
type="cite">
<pre wrap="">To clarify, when prepareThreshold is set to zero, the driver still
uses prepared statements, but it uses only the unnamed variant, which
should effectively have no overhead compared to inlining parameters.
The separate log messages are due to this change.
Safely passing in parameters is an important reason to use prepared
statements (perhaps more so than performance), so as to protect
against SQL injection. For what it's worth, based on the logs, it
looks like you're not doing that; you should seriously consider making
that change, especially if data like user names is coming externally.
This email has been scanned for viruses by Blackspider's Mail Control System.
For more information please visit <a class="moz-txt-link-freetext" href="http://www.blackspider.com">http://www.blackspider.com</a>
</pre>
</blockquote>
<br>
<br><br>
<P align=center><FONT style="BACKGROUND-COLOR: #ffffff">This message has been scanned for malware by SurfControl plc. </FONT><A href="http://www.surfcontrol.com/"><FONT style="BACKGROUND-COLOR: #ffffff" color=#000000>www.surfcontrol.com</FONT></A></P>
</body>
</html>
| Attachment | Content-Type | Size |
|---|---|---|
| unknown_filename | text/html | 2.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2012-09-17 11:54:25 | Re: Change in Log Format and Prepared Statements |
| Previous Message | Alexander Stanier | 2012-09-17 06:45:14 | Re: Change in Log Format and Prepared Statements |