Hi,
> Mike Mascari <mascarm@mascari.com> writes:
> > What appears to me is that the rewriter is just tacking the IS NULL test
> > onto the parsed query. As a result, a function is called with data from
> > a view before the evaluation of IS NULL removes those rows from the
> > selection process. Is that right? If so, is that a security problem?
>
> You're essentially asking for a guarantee about the order of evaluation
> of WHERE clauses. There is no such guarantee, and won't be because it
> would be a crippling blow to performance.
But he is right in that his trick works. This proves that views can not be
safely used for security, which is an important thing to realise...
Sander.