"Aidan Van Dyk" <aidan(at)highrise(dot)ca> writes:
> That said, though *I* like the idea (and since I develop against
> PostgreSQL 1st and use params for my queries I would consider it a nice
> tool to "keep me honest"), I can easily see that the cost/benefit ratio
> on this could be quite low and make it not worth the code/support
Note that using parameters even for things which are actually constants is not
really very desirable. If you have a query like:
SELECT * FROM users WHERE userid = ? AND status = 'active'
a) It makes things a lot clearer to when you call Execute($userid) which
values are actually the key user-provided data. In more complex queries it
can be quite confusing to have lots of parameters especially if the query
itself only makes sense if you know what values will be passed.
b) It allows the database to take advantage of statistics on "status" that
might not otherwise be possible.
Parameters are definitely the way to go for dynamic user data but for
constants which are actually an integral part of the query and not parameters
you're passing different values for each time it's actually clearer to include
them directly in the query.
Ask me about EnterpriseDB's On-Demand Production Tuning
In response to
pgsql-hackers by date
|Next:||From: Josh Berkus||Date: 2008-04-29 18:39:09|
|Subject: Re: Protection from SQL injection|
|Previous:||From: Tom Lane||Date: 2008-04-29 18:12:23|
|Subject: Re: [COMMITTERS] pgsql: Remove typename from A_Const. |