Proposal: PL/pgSQL EXECUTE INTO USING (for 8.4)

Поиск
Список
Период
Сортировка
От Pavel Stehule
Тема Proposal: PL/pgSQL EXECUTE INTO USING (for 8.4)
Дата
Msg-id 162867790710161154j5e0795afh6f7cbf22a266aa43@mail.gmail.com
обсуждение исходный текст
Ответы Re: Proposal: PL/pgSQL EXECUTE INTO USING (for 8.4)  ("Merlin Moncure" <mmoncure@gmail.com>)
Re: Proposal: PL/pgSQL EXECUTE INTO USING (for 8.4)  ("Brendan Jurd" <direvus@gmail.com>)
Re: Proposal: PL/pgSQL EXECUTE INTO USING (for 8.4)  (Bruce Momjian <bruce@momjian.us>)
Список pgsql-hackers
Дерево обсуждения 
Hello,

this proposal change older unaccepted proposal
http://archives.postgresql.org/pgsql-hackers/2006-03/msg01157.php .

Changes:
* based on prepared statements
* syntax and behave is near to Oracle
* usable as protection from SQL injection

New syntax:

a) EXECUTE stringexpr     [INTO [STRICT] varlist     [USING exprlist]

b) FOR varlist IN EXECUTE stringexpr USING exprlist LOOP ....

Reason:
* defence from SQL injection
* more readable, shorter, more comfortable

Sample (secure dynamic statement):
EXECUTE                'SELECT * FROM ' ||                 CASE tblname                            WHEN 'tab1' THEN
'tab1'                           WHEN 'tab2' THEN 'tab2'                            ELSE '"some is wrong"' END ||
         ' WHERE c1 = $1 AND c2 = $2'  USING unsecure_parameter1, unsecure_parameter2;
 

Difference between PL/SQL and proposal:
* allow only IN variables
* use PostgreSQL placeholders notation - "$"n instead ":"n

Compliance with PL/SQL
* You can use numeric, character, and string literals as bind arguments
* You cannot use bind arguments to pass the names of schema objects to
a dynamic SQL statement.

Best regards

Pavel Stehule

В списке pgsql-hackers по дате отправления:

Предыдущее
От: "Hiroshi Saito"
Дата:
Сообщение: Re: [COMMITTERS] pgsql: Re-allow UTF8 encodings on win32.
Следующее
От: Magnus Hagander
Дата:
Сообщение: Re: [COMMITTERS] pgsql: Re-allow UTF8 encodings on win32.