On Thu, May 2, 2013 at 9:48 AM, Simon Riggs <[email protected]> wrote: >>> SELECT count(k0.id) >>> FROM k0 >>> WHERE 1 = 2 >>> OR k0.id IN ( >>> SELECT k1.k0_id >>> FROM k1 >>> WHERE k1.k1k2_id IN ( >>> SELECT k2.k1k2_id >>> FROM k2 >>> WHERE k2.t = 2 >>> AND (coalesce(k2.z, '')) LIKE '%12%' >>> ) >>> ); >> ... > > The situation shown could be the result of SQL injection attack. > > It would be nice to have a switch to do additional checks on SQL > queries to ensure such injections don't cause long runtimes to return > useless answers.
How could that be the case without becoming much much worse than large runtimes? I don't think it's the place of the database to worry about SQL injection. -- Sent via pgsql-performance mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-performance
