Andrew Hall <andrewah@hotmail.com> writes:
> Is there a recommended way to translate this function into plpgSQL which would protect me from SQL Injection (most
importantfor me) and use bind variables (of secondary importance?
See quote_literal() and/or quote_nullable(). On the whole though I
think you'd be best off not using a dynamically-constructed query at
all --- given the desired %'s in the LIKE pattern, there is not going
to be any benefit at all from using an unparameterized query. Just
write it out without all the string-construction.
regards, tom lane