On 19.01.2011 12:53, Pavel Stehule wrote:
> The EXECUTE statement doesn't support a parametrization via
> SPI_execute_with_args call and PQexecParams too. It can be a security
> issue. If somebody use a prepared statement as protection to sql
> injection, then all security goes out, because he has to call EXECUTE
> without parametrization.
Why don't you use SPI_prepare and SPI_open_query ?
-- Heikki Linnakangas EnterpriseDB http://www.enterprisedb.com