table of content

1 Why PostgreSQL matters—and why talking about mistakes does too

1.1 Why learning about PostgreSQL matters

1.2 Why talking about PostgreSQL mistakes matters

1.3 What you will learn

1.4 Typical kinds of PostgreSQL mistakes

1.4.1 Coming with expectations from other databases

1.4.2 Misunderstanding PostgreSQL

1.4.3 Misunderstanding the documentation

1.4.4 Using relics from the SQL Standard

1.4.5 Not following best practices

1.5 How this book works

1.5.1 Mental models

1.5.2 Example mistake

1.6 Sample database: Frogge Emporium

2 Bad SQL usage

2.1 Using NOT IN to exclude

2.1.1 Performance implications

2.1.2 Alternative

2.2 Selecting ranges with BETWEEN

2.3 Not using CTEs

2.4 Using uppercase identifiers

2.5 Dividing INTEGERs

2.6 COUNTing NULL values

2.7 Querying indexed columns with expressions

2.8 Upserting NULLs in a composite unique key

2.9 Selecting and fetching all the data

2.10 Not taking advantage of checkers/linters or large language models

2.10.1 Code checkers/linters

2.10.2 Large language models

3 Improper data type usage

3.1 TIMESTAMP (WITHOUT TIME ZONE)

3.2 TIME WITH TIME ZONE

3.3 CURRENT_TIME

3.4 CHAR(n)

3.5 VARCHAR(n)

3.6 MONEY

3.7 SERIAL data type

3.8 XML

4 Table and index mistakes

4.1 Table inheritance

4.2 Neglecting table partitioning

4.3 Partitioning by multiple keys

4.4 Using the wrong index type

5 Improper feature usage

5.1 Selecting SQL_ASCII as the encoding

5.2 CREATE RULE

5.3 Relational JSON

5.4 Putting UUIDs everywhere

5.5 Homemade multi-master replication

5.6 Homemade distributed systems

6 Performance bad practices

6.1 Default configuration in production

6.2 Improper memory allocation

6.3 Having too many connections

6.4 Having idle connections

6.4.1 What is MVCC?

6.4.2 The problem with idle connections

6.5 Allowing long-running transactions

6.5.1 Idle in transaction

6.5.2 Long-running queries in general

6.6 High transaction rate

6.6.1 XID wraparound

6.6.2 Burning through lots of XIDs

6.7 Turning off autovacuum/autoanalyze

6.8 Not using EXPLAIN (ANALYZE)

6.9 Locking explicitly

6.10 Having no indexes

6.11 Having unused indexes

6.12 Removing indexes used elsewhere

7 Administration bad practices

7.1 Not tracking disk usage

7.1.1 Deleting the Write-Ahead Log

7.1.2 What can eat up your disk space?

7.1.3 What can you do?

7.2 Logging to PGDATA

7.3 Ignoring the logs

7.3.1 Bad configuration

7.3.2 Performance issues

7.3.3 Locks

7.3.4 Corruption

7.3.5 Security

7.4 Not monitoring the database

7.5 No tracking of statistics over time

7.6 Not upgrading Postgres

7.7 Not upgrading your system

8 Security bad practices

8.1 Specifying psql -W or - -password

8.2 Setting listen_addresses = '*'

8.3 trust-ing in pg_hba.conf

8.4 Database owned by a superuser

8.5 Setting SECURITY DEFINER carelessly

8.6 Choosing an insecure search path

9 High availability bad practices

9.1 Not taking backups

9.2 No Point-in-Time Recovery

9.3 Backing up manually

9.4 Not testing backups

9.5 Not having redundancy

9.6 Using no HA tool

10 Upgrade/migration bad practices

10.1 Not reading all release notes

10.2 Performing inadequate testing

10.3 Succumbing to encoding chaos

10.4 Not using proper BOOLEANs

10.5 Mishandling differences in data types

11 PostgreSQL, best practices, and you: Final insights

11.1 What type of user are you?

11.1.1 The dabbler

11.1.2 The cautious steward

11.1.3 The oblivious coder

11.1.4 The freefaller

11.2 Be proactive: Act early

11.3 All right, so you inherited a bad database

11.3.1 “Historical reasons”

11.3.2 What now?

11.3.3 First things first

11.4 Treat Postgres well, and it will treat you well

Appendix

Appendix A: Frogge Emporium database

A.1 Frogge Emporium database schema

A.2 Frogge Emporium database data

Appendix B: Cheat sheet

Overview

8 Security bad practices

PostgreSQL offers strong security defaults and a vigilant security team, but real-world breaches often result from everyday operator mistakes. This chapter surveys the practices that most commonly undermine a secure deployment: relying on misleading password prompts, exposing instances to untrusted networks, overbroad access rules, and writing or configuring database code in ways that invite privilege escalation or data leaks.

On connectivity and authentication, the -W/--password switch is a footgun: it prompts even when the server doesn’t require a password, masking dangerous passwordless setups and training users to trust “successful” logins even with mistyped credentials. Avoid embedding cleartext passwords in commands or configs; let the server prompt when needed and use proper secret storage. Network-wise, setting listen_addresses to “*” expands the attack surface by accepting connections on every interface; bind only to required private addresses and layer firewall allowlists. In pg_hba.conf, trust is not authentication and should be avoided entirely; instead, use scram-sha-256, enforce SSL where appropriate, and craft narrow rules per database, role, and source host.

On authorization and code execution, don’t let superusers own application databases or connect as the application, as superuser privileges bypass most checks, weaken auditing, and enable accidental or intentional damage. SECURITY DEFINER turns functions into setuid-like entry points; restrict EXECUTE to intended roles, keep definitions simple, validate inputs, and set a safe search_path. Finally, control schema resolution to prevent object hijacking: revoke unnecessary CREATE on the public schema (especially on upgraded clusters), restrict who can create objects in shared schemas, prefer explicit schema qualification, and organize per-application schemas to block malicious overrides and unintended code execution.

A superuser, analogous to the root user in UNIX, can bypass all privilege checks and do more things that no other user can. It is far more dangerous than simply having all privileges on all databases.

Summary

Using psql -W or --password can be confusing and lead to lapses in security. Rely on PostgreSQL’s automatic built-in password prompt mechanism instead.
Setting listen_addresses = '*' can expose your database server to insecure networks, so you should only enable the trusted network interfaces that are necessary for database connectivity.
Using the trust method in pg_hba.conf in production environments is unacceptable. You should always enforce proper authentication to your server and restrict access as much as is practical.
Having your databases and their contents owned by a superuser can lead to security problems and accidental damage to your data. Instead, create roles that have only the relevant permissions to own and manage these databases, and grant permissions selectively to other roles.
Declaring functions as SECURITY DEFINER can cause data leaks and enable privilege escalation. To reduce risk, use it sparingly and with a safe search_path, and prefer the combination of SECURITY INVOKER with explicit GRANTs.
Not securing your search_path can let others hijack queries and escalate their privileges. Apply tight control over object creation in schemas, and reference objects owned by trusted users only in queries.

FAQ

Is it safe to always pass -W/--password to psql?

No. That switch merely forces the client to prompt, even if the server doesn’t require a password. It can hide a misconfiguration (e.g., passwordless access), makes wrong passwords appear to “work,” and adds no benefit when the server does require a password (it will prompt anyway). Also, never put plaintext passwords in command lines or connection strings.

What’s the right way to handle passwords for psql and other tools?

- Rely on the automatic prompt when the server requires a password.
- Prefer secure mechanisms such as a protected .pgpass file or a secret manager.
- Avoid passing secrets via command line args or storing them in scripts/configs in cleartext.

Why is setting listen_addresses = '*' risky?

It makes PostgreSQL accept connections on all network interfaces. If the host has any public-facing interface, you may unintentionally expose the database to the internet, greatly expanding the attack surface.

How should I safely restrict where PostgreSQL listens?

- Keep the default (localhost) unless remote access is truly needed.
- Bind only to the specific private IPs that should accept connections, e.g.: listen_addresses = '10.10.10.56'.
- Layer firewall rules to allow only trusted subnets/hosts and log connection attempts.

What does “trust” in pg_hba.conf do, and why shouldn’t I use it?

trust disables authentication. Any PostgreSQL user from the allowed host/subnet can connect without a password. A single compromised machine on that network becomes a gateway to your database. Avoid trust completely in production (and even on shared development hosts).

What should I use in pg_hba.conf instead of trust?

- Use password-based authentication with SCRAM, and prefer TLS: hostssl ... scram-sha-256.
- Limit by database, user, and host (avoid broad “all/all/all”).
- Example: hostssl mydb myuser 10.10.10.29/32 scram-sha-256.

Why shouldn’t databases (or objects) be owned by a superuser?

Superusers bypass most checks (including many permission and RLS safeguards). Ownership by superuser encourages superuser connections and makes it easy to unintentionally run code with elevated privileges, enabling privilege escalation and complicating auditing. Create dedicated non-superuser roles to own databases/objects and grant only the needed privileges.

When is SECURITY DEFINER appropriate, and how do I use it safely?

- Use only when a function must run with the owner’s rights.
- Immediately REVOKE execute from PUBLIC and GRANT only to intended roles.
- Keep logic minimal, validate inputs, and review/test thoroughly.
- Set a safe search_path on the function (e.g., pg_catalog, your schema, pg_temp) to avoid hijacking.

What’s dangerous about an insecure search_path, and how do I mitigate?

If an untrusted schema appears earlier in search_path, identically named objects can be chosen first, leading to query/code hijacking. Mitigations:
- Qualify object names for sensitive code.
- Remove untrusted schemas from search_path and restrict who can CREATE in shared schemas (e.g., REVOKE CREATE ON SCHEMA public FROM PUBLIC;).
- In SECURITY DEFINER functions, set a strict search_path (pg_catalog, trusted app schema, pg_temp).

What’s a quick checklist to avoid these security footguns?

- Don’t rely on -W/--password; never put passwords on the command line.
- Bind to specific IPs; avoid listen_addresses = '*'; add firewall allowlists.
- Ban trust in pg_hba.conf; use scram-sha-256 over TLS and least-privilege HBA rules.
- Reserve superuser for admin tasks; use app-specific roles and RBAC.
- Use SECURITY DEFINER sparingly; REVOKE from PUBLIC; set safe search_path.
- Remove CREATE from public for non-admins; audit and monitor access; keep up with security updates.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$54.99 $38.49

you save $16.50 (30%)

include audio $19.99 $13.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$54.99 $38.49

you save $16.50 (30%)

include audio $19.99 $13.99

eBook

pdf, ePub, online

$54.99 $38.49

you save $16.50 (30%)

include audio $19.99 $13.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more