Hi,
On Mon, 10 Jul 2006, [UTF-8] Dirk Lutzebäck wrote:
Hi Simon,
are you sure this has not been changed? I'm pretty sure my code worked a
while ago. We are using Perl DBD::Pg on the client side and almost never pass
parameters inside the SQL string for security reasons. I can't say if it
broke from 8.0 -> 8.1 for us or in one of the minor 8.1 releases.
DBD::Pg only recently started preparing queries in the server.
Older versions of DBD::Pg simulated prepared statements behind the
scenes so your postgresql server got to plan every query individually.
You might want to switch of server side prepares for your specific
query and see if that helps. See the description of the pg_server_prepare
in the DBD::Pg manpage on how to go about this.
In any case I would see this as a security problem because you cannot control
sql code injection easily (as with using DBD::Pg) if you have to pass
parameters in the SQL string to use partial indexes.
I hope you are not relying on prepared statements as your only
defense against sql code injection.
Greetings
Christian
--
Christian Kratzer [EMAIL PROTECTED]
CK Software GmbH http://www.cksoft.de/
Phone: +49 7452 889 135 Fax: +49 7452 889 136
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
