Home > mailing lists

Re: control max length of parameter values logged - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: control max length of parameter values logged
Date	March 15, 2020 01:41:58
Msg-id	23925.1584225718@sss.pgh.pa.us Whole thread Raw
In response to	Re: control max length of parameter values logged (Bruce Momjian <bruce@momjian.us>)
Responses	Re: control max length of parameter values logged (Alvaro Herrera <alvherre@2ndquadrant.com>)
List	pgsql-hackers

Tree view

Bruce Momjian <bruce@momjian.us> writes:
> I am sorry --- I am confused.  Why are we truncating or allowing control
> of truncation of BIND parameter values, but have no such facility for
> queries.  Do we assume queries are shorter than BIND parameters, or is
> it just that it is easier to trim BIND parameters than values embedded
> in non-EXECUTE queries.

The cases that Alvaro was worried about were enormous values supplied
via bind parameters.  We haven't heard comparable complaints about
the statement text.  Also, from a security standpoint, the contents
of the statement text are way more critical than the contents of
an out-of-line parameter; you can't do SQL injection from the latter.
So I think the audience for trimming would be a lot smaller for
statement-text trimming.

            regards, tom lane

pgsql-hackers by date:

From: Bruce Momjian
Date: 15 March 2020, 01:09:17
Subject: Re: control max length of parameter values logged

From: Tomas Vondra
Date: 15 March 2020, 03:08:09
Subject: Re: Additional improvements to extended statistics

Re: control max length of parameter values logged - Mailing list pgsql-hackers

Previous

Next