Re: [Sqlgrey-users] Solution to sqlgrey & postgresql memory leaks?

[Lionel B. <lio...@bo...>]

Karl O. Pinc wrote the following on 05.08.2007 20:04 :
> Thanks for looking at this.
>
> The DBI had also better be doing a "DEALLOCATE" when the
> prepared query goes out of scope, or else (in PostgreSQL)
> it won't get deallocated on the server side.
>
> I don't see the point in using prepared queries that
> are only executed once.

Protecting against SQL injection attacks. You should always use prepared 
statements for user submitted data. You can manually quote the data but 
it makes ugly code and isn't easily modified to use cached prepared 
statements when optimizing later.

This is actually why the date wasn't out of the prepared statements in 
your example: this is the only part in the condition that isn't input 
from Postfix (and so could be manipulated by the original sender, 
Postfix doesn't sanitize everything and maybe even anything before 
submiting it to SQLgrey).

Lionel.