Hi,
On Mon, 10 Jul 2006, [UTF-8] Dirk Lutzeb=E4ck wrote:
> Hi Simon,
>
> are you sure this has not been changed? I'm pretty sure my code worked a=
=20
> while ago. We are using Perl DBD::Pg on the client side and almost never =
pass=20
> parameters inside the SQL string for security reasons. I can't say if it=
=20
> broke from 8.0 -> 8.1 for us or in one of the minor 8.1 releases.
DBD::Pg only recently started preparing queries in the server.
Older versions of DBD::Pg simulated prepared statements behind the
scenes so your postgresql server got to plan every query individually.
You might want to switch of server side prepares for your specific=20
query and see if that helps. See the description of the pg_server_prepare
in the DBD::Pg manpage on how to go about this.
> In any case I would see this as a security problem because you cannot con=
trol=20
> sql code injection easily (as with using DBD::Pg) if you have to pass=20
> parameters in the SQL string to use partial indexes.
I hope you are not relying on prepared statements as your only
defense against sql code injection.
Greetings
Christian
--=20
Christian Kratzer ck@cksoft.de
CK Software GmbH http://www.cksoft.de/
Phone: +49 7452 889 135 Fax: +49 7452 889 136
