Heikki,
* Heikki Linnakangas (heikki.linnakangas@enterprisedb.com) wrote:
> The big difference is what information can be obtained, not how fast it
> can be obtained.
Actually, I disagree. Time required to acquire the data does matter.
> Imagine a table that holds username/passwords for users. Each user is
> allowed to see his own row, including password, but not anyone else's.
> EXPLAIN side-channel might give pretty accurate information of how many
> rows there is in the table, and via clever EXPLAIN+statistics probing
> you might be able to find out what the top-10 passwords are, for
> example. But if you wanted to know what your neighbor's password is, the
> side-channels would not help you much, but an error message would reveal
> it easily.
Using only built-ins, could you elaborate on how one could pick exactly
what row was revealed using an error case? That strikes me as
difficult, but perhaps I'm not thinking creatively enough.
Thanks,
Stephen
