Conversation

Notices

Embed this notice
Nicholas Weaver (ncweaver@thecooltable.wtf)'s status on Friday, 09-Jun-2023 01:07:06 JST Nicholas Weaver

We harsh on buffer overflows as "fish in a barrel", but SQL injection is actually worse: There is NO excuse for not refactoring SQL accessing code into prepared statements, the amount of code is small to touch and the security win is huge.
That and invocations of system() rather than execve() are things that are on my instructions to students when onboarding to a project to look for, they are gaping vulnerabilities yet easy to find & fix.

In conversation Friday, 09-Jun-2023 01:07:06 JST from thecooltable.wtf permalink
- Embed this notice
  feld (feld@bikeshed.party)'s status on Friday, 09-Jun-2023 01:07:05 JST feld
  in reply to
  
  There are performance impacts with the query planner and prepared statements though
  
  In conversation Friday, 09-Jun-2023 01:07:05 JST permalink
- Embed this notice
  feld (feld@bikeshed.party)'s status on Friday, 09-Jun-2023 01:23:21 JST feld
  in reply to
  
  No, there's a massive performance issue.
  
  https://www.postgresql.org/message-id/CAKFQuwZDyjnCRGfvbQJrhfOiCx5z5%3DkhZr4QJWUMEcEcwx4s9A%40mail.gmail.com
  In conversation Friday, 09-Jun-2023 01:23:21 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: www.postgresql.org
    
    Re: BUG #17540: Prepared statement: PG switches to a generic query plan which is consistently much slower
    
    from David G. Johnston
    
    On Wed, Jul 6, 2022 at 2:41 PM PG Bug reporting form wrote: > The following bug has been …
- Embed this notice
  Nicholas Weaver (ncweaver@thecooltable.wtf)'s status on Friday, 09-Jun-2023 01:23:22 JST Nicholas Weaver
  in reply to
  - feld
  @feld
  The performance impact is in the noise, there is this thing called 'Amdahl's law'
  
  In conversation Friday, 09-Jun-2023 01:23:22 JST permalink
- Embed this notice
  feld (feld@bikeshed.party)'s status on Friday, 09-Jun-2023 04:27:52 JST feld
  in reply to
  
  It's not a 1 line config change fix, forcing custom plan all the time does not give you optimal performance
  
  Maybe if you had more than surface deep knowledge of the problem space and weren't trying to post for clout and instead asked "what are the current problems that are preventing the ubiquitous usage of prepared statements to solve SQL injections?" this could have been an opportunity for you to learn instead of looking like a smug asshole
  
  In conversation Friday, 09-Jun-2023 04:27:52 JST permalink
- Embed this notice
  Nicholas Weaver (ncweaver@thecooltable.wtf)'s status on Friday, 09-Jun-2023 04:27:53 JST Nicholas Weaver
  in reply to
  - feld
  @feld
  a: Which a 1 line config change fixed... and
  b: AMDAHL'S LAW!
  
  In conversation Friday, 09-Jun-2023 04:27:53 JST permalink
- Embed this notice
  feld (feld@bikeshed.party)'s status on Friday, 09-Jun-2023 05:38:26 JST feld
  in reply to
  - feld
  I'm sorry, I need to stop letting stuff like this get under my skin. There's no way we were going to rewrite 20 million lines of SQL at one of my previous jobs. WAF and input sanitization is all you can do
  
  In conversation Friday, 09-Jun-2023 05:38:26 JST permalink

Public

Conversation

Notices

Feeds