Re: Is passing a list as a bound variable safe from SQL injection?

Поиск
Список
Период
Сортировка
От W. Matthew Wilson
Тема Re: Is passing a list as a bound variable safe from SQL injection?
Дата
Msg-id CAGHfCUDMq1uAstus-6qgjt3df45G9smGmqWZn4caWMXEXTfDfw@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Is passing a list as a bound variable safe from SQL injection?  (Daniele Varrazzo <daniele.varrazzo@gmail.com>)
Ответы Re: Is passing a list as a bound variable safe from SQL injection?
Список psycopg
Дерево обсуждения
On Wed, Oct 2, 2013 at 12:17 PM, Daniele Varrazzo <daniele.varrazzo@gmail.com> wrote:
What other approach? Not using IN: the IN operator is converted to "=
any(array)" by the postgres parser:

=# explain select * from x where id in (1,2,3,4,5);
                         QUERY PLAN
------------------------------------------------------------
 Seq Scan on x  (cost=0.00..6.58 rows=5 width=51)
   Filter: (id = ANY ('{1,2,3,4,5}'::integer[]))

It is true that this can be very inefficient for long lists, I've
experimented it myself several times, but it's not something you can
change at driver level: creating a temp table to join on can be faster
even for not very long lists.


-- Daniele

This is the approach (and it does involve very long lists): 

http://www.datadoghq.com/2013/08/100x-faster-postgres-performance-by-changing-1-line/

Instead of writing = any(array[1,2,3,4]), they wrote = any(values (1), (2), (3), (4), )

and somehow that works more quickly.

Would it be possible to make a python list subclass that converts itself to "values ( ... )" rather than to "array[ ... ]"?  I imagine that this might be useful for these gigantic lists.

Matt




--
W. Matthew Wilson
matt@tplus1.com
http://tplus1.com

В списке psycopg по дате отправления:

Предыдущее
От: Daniele Varrazzo
Дата:
Сообщение: Re: Is passing a list as a bound variable safe from SQL injection?
Следующее
От: Federico Di Gregorio
Дата:
Сообщение: Re: Is passing a list as a bound variable safe from SQL injection?