Hi Tom, On Tue, Dec 30, 2008 at 3:02 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > The point of a prepared statement IMHO is to do the planning only once. > There's necessarily a tradeoff between that and having a plan that's > perfectly adapted to specific parameter values. I agree, and normally it wouldn't be an issue. In this particular case, we are seeing response time to go from sub-second with non-prepared queries, to over 200 seconds w/ prepared queries. Note that is not an isolated case in our application, merely the numbers from this particular example. > > Reasonable client-side APIs should provide the option to use out-of-line > parameters, which is what you want to prevent SQL injection, without > hard-wiring that to the orthogonal concept of statements whose plan is > prepared in advance. In libpq, for instance, PQexecParams() does that. > > regards, tom lane > Again, I agree completely. What I am after I guess are some pointers on where to look for that, with regards to PHP. Whatever I turn up, I will turn over to our developers, but before I do that I want to be sure I am giving them the correct advice. Thanks, Bricklen -- Sent via pgsql-performance mailing list (pgsql-performance@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-performance
