PostgreSQL. Is using random tag in dollar quoting without escaping input safe

performancepostgresqlquery-performancesql-injection

Is that safe to run such query without escaping input? Assume noone can guess the random string I generate.

SELECT * FROM foo WHERE bar = $long random tag$ THIS NOT ESCAPED $long random tag$

What drawbacks are?
For example if the tag will change for each transaction, will it have performance penalties?

EDIT: Doing escaping correctly is also sometimes tricky – remember PHP mysql_escape and mysql_real_escape and sometimes can be fooled or just forgotten. Proposed approach can be automatic.

EDIT 2:
Any ideas if that can be made on pure Postgres SQL? Remember that dollar quoting can be nested.

Best Answer

Postgres doesn't cache ad-hoc SQL query plans; only if your host environment is using prepare will the query plan be cached. But if prepare is used, then parameterisation is also being used so dollar quoting won't be necessary.

It follows, then, if you're not using prepare that each query will be parsed. In that case, you're probably best off accepting the 2 * (32 + 2) = 68 byte penalty and use UUIDs inside dollar quoting.

You could write code to generate a random short string -- eg $a$ and test if that appears in the input, and loop making that string longer if it appears. But the cost of such code might exceed just generating a UUID and using that.

Related Solutions

PostgreSQL – How to Replicate Two Databases Without Using Master DB

As far as which server Bucardo should run on, if both of your servers have the same resources, I would just pick one, because in multi-master, with two servers, the bucardo daemon won't have anything to do in a situation where the other server is down anyway. When the other server comes back up, you should just be able to restart the bucardo daemon and have it sync from the server that didn't go down.

https://mail.endcrypt.com/pipermail/bucardo-general/2013-June/001882.html

If you need something with HA, then, I would ask specifically on the bucardo-general mailing list, which is a wealth of knowledge.

You also might find these resources useful for dealing with Bucardo, in addition to the mailing list and the documentation.

Bootstrap Bucardo Multi-Master

Bucardo Multi-Master for PostgreSQL

Conflict Handling with Bucardo

Postgresql – Import data extracted from website directly into PostgreSQL database without using any text or csv file

You can open a pipe and write your data to the pipe directly. Related answer with demo code:

Insert SQL statements via command line without reopening connection to remote database

Or you can use COPY with a program or standard input directly:

COPY table_name [ ( column_name [, ...] ) ]
    FROM { 'filename' | PROGRAM 'command' | STDIN }
    [ [ WITH ] ( option [, ...] ) ]
...

When PROGRAM is specified, the server executes the given command and reads from the standard output of the program, or writes to the standard input of the program. The command must be specified from the viewpoint of the server, and be executable by the PostgreSQL user. When STDIN or STDOUT is specified, data is transmitted via the connection between the client and the server.

Best Answer

Related Solutions

PostgreSQL – How to Replicate Two Databases Without Using Master DB

Postgresql – Import data extracted from website directly into PostgreSQL database without using any text or csv file

Related Question