Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #13449: Auto type cast (int -> numeric) non-reasonable, will case performance problem - Mailing list pgsql-bugs

From Heikki Linnakangas
Subject Re: BUG #13449: Auto type cast (int -> numeric) non-reasonable, will case performance problem
Date
Msg-id 55821E42.6040907@iki.fi
Whole thread Raw
In response to BUG #13449: Auto type cast (int -> numeric) non-reasonable, will case performance problem  (digoal@126.com)
List pgsql-bugs
Tree view 
On 06/16/2015 10:17 PM, digoal@126.com wrote:
> When i use an big digital, it auto convert to numeric. and there is no
> int&numeric operator, so left opr auto convert to numeric also.
> for exp:
> postgres=# create table t3(id int);
> CREATE TABLE
> postgres=# insert into t3 select generate_series(1,10000000);
> INSERT 0 10000000
> postgres=# create index idx_t3_id on t3(id);
> CREATE INDEX
> postgres=# explain analyze select * from t3 where
> id>999999999999999999999999999999999;
>                                                               QUERY PLAN
>
>
------------------------------------------------------------------------------------------------------------------------------------
>   Index Only Scan using idx_t3_id on t3  (cost=0.43..238213.43 rows=3333333
> width=4) (actual time=4052.914..4052.914 rows=0 loops=1)
>     Filter: ((id)::numeric > '999999999999999999999999999999999'::numeric)
>     Rows Removed by Filter: 10000000
>     Heap Fetches: 10000000
>   Planning time: 0.283 ms
>   Execution time: 4052.944 ms
> (6 rows)
>
> postgres=# explain analyze select * from t3 where
> id=999999999999999999999999999999999;
>                                                              QUERY PLAN
>
>
----------------------------------------------------------------------------------------------------------------------------------
>   Index Only Scan using idx_t3_id on t3  (cost=0.43..238213.43 rows=50000
> width=4) (actual time=3907.391..3907.391 rows=0 loops=1)
>     Filter: ((id)::numeric = '999999999999999999999999999999999'::numeric)
>     Rows Removed by Filter: 10000000
>     Heap Fetches: 10000000
>   Planning time: 0.103 ms
>   Execution time: 3907.421 ms
> (6 rows)
>
> I think ,this case, PostgreSQL should convert
> 999999999999999999999999999999999 to the same type with column id's type
> int. and raise error.
>
> there is some problem, user can use this to SQL injection attack or other
> things, Oops, Application has ability to filter the overflow digital, but i
> think PostgreSQL also has responsibility to prevent overflow occure.

The current behaviour seems perfectly fine to me. If you want to force a
specific datatype, you're better off passing the parameter out-of-line,
and specify the datatype explicitly. I don't see any security issue here.

- Heikki

pgsql-bugs by date:

Previous
From: Michael Paquier
Date:
Subject: Re: BUG #13448: DOC about : pg_dump use logical replication snapshot
Next
From: Guillaume Lelarge
Date:
Subject: Re: BUG #13450: problem about applying point-in-time recovery