Martijn van Oosterhout <kleptog@svana.org> writes:
> On Wed, Feb 11, 2015 at 02:22:10PM -0500, Tom Lane wrote:
>> Nope. DDL commands generally don't have any support for evaluating
>> expressions, which would be the context in which parameters would
>> be useful. Nor have they got plans, which would be the requirement
>> for prepared statements to be good for much either.
> Not really true, there are plenty of cases where you just want to fill
> in literals without having to worry about quoting. For example:
> DROP TABLE %s
True, but that is not what Postgres thinks is a parameter; for example
you cannot do "SELECT * FROM %s", nor could you persuade it to interpret a
parameter as a column reference in a SELECT.
> ... is opening yourself up to SQL injection. I've wondered if it were
> possible to be able to say:
> DROP TABLE IDENTIFIER($1);
A meta-function like that would just provide a different route for SQL
injection, I suspect, particularly when attacking applications that
hadn't gotten the memo about "IDENTIFIER()" being magic.
I think there's considerable value in a client-library function for safe
interpolation of this sort, but I doubt that trying to shoehorn it into
the server is the answer.
regards, tom lane