Re: SQL injection - Mailing list pgsql-general

From Jim C. Nasby
Subject Re: SQL injection
Date
Msg-id 20051101185325.GE20349@pervasive.com
Whole thread Raw
In response to Re: SQL injection  (Yonatan Ben-Nes <da@canaan.co.il>)
Responses Re: SQL injection
List pgsql-general
On Tue, Nov 01, 2005 at 08:27:21PM +0200, Yonatan Ben-Nes wrote:
> Won't that create a performance penalty to extremly dynamic sites cause
> the plan will be planned only once and the data may vary alot?
> Beside that I still won't have a solution to places where I create a
> query which can vary alot (JOIN diffrent tables, diffrent WHERE etc...),
> it doesn't seem logical to me to start and create all of the diffrent
> possibilites of queries when I create such an option at a site.

Yes, when you start getting into dynamically generated SQL you quickly
loose the performance benefit of prepared statements just because odds
are good that nothing else will use it. But you still have the benefit
of bound parameters and protection from injection.
--
Jim C. Nasby, Sr. Engineering Consultant      jnasby@pervasive.com
Pervasive Software      http://pervasive.com    work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf       cell: 512-569-9461

pgsql-general by date:

Previous
From: Yonatan Ben-Nes
Date:
Subject: Re: SQL injection
Next
From: Dan Sugalski
Date:
Subject: Re: SQL injection