Re: proposal: doc: simplify examples of dynamic SQL

Поиск
Список
Период
Сортировка
От Pavel Stehule
Тема Re: proposal: doc: simplify examples of dynamic SQL
Дата
Msg-id CAFj8pRC+wY-+YWJxUDL6E0w=vGxbeS+tdUQZh+OKmZCCuZkwEQ@mail.gmail.com
обсуждение исходный текст
Ответ на Re: proposal: doc: simplify examples of dynamic SQL  (Jim Nasby <Jim.Nasby@BlueTreble.com>)
Список pgsql-hackers
Дерево обсуждения
Hi

2014-10-03 5:16 GMT+02:00 Jim Nasby <Jim.Nasby@bluetreble.com>:
On 10/2/14, 6:51 AM, Pavel Stehule wrote:
EXECUTE format('UPDATE tbl SET %I = newvalue WHERE key = %L',
                    colname, keyvalue)
or
 -1, because of quoting issues

No it isn't. I is 100% safe
 
EXECUTE format('UPDATE tbl SET %I = newvalue WHERE key = $1',
                    colname)
  USING keyvalue;
 Better, but I think it should really be quote_ident( colname )
A old examples are very instructive, but little bit less readable and maybe too complex for beginners.

Opinions?
Honestly, I'm not to fond of either. format() is a heck of a lot nicer than a forest of ||'s, but I think it still falls short of what we'd really want here which is some kind of variable substitution or even a templating language. IE:

EXECUTE 'UDPATE tbl SET $colname = newvalue WHERE key = $keyvalue';

Your proposal significantly increase a work with string. Escaping and quoting depends on context, and should be different in different context. In PHP or Perl, this technique is the most simple backdoor for SQL injection.

Pavel

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Kouhei Kaigai
Дата:
Сообщение: Re: How to make ResourceOwnerForgetBuffer() O(1), instead of O(N^2) scale
Следующее
От: Pavel Stehule
Дата:
Сообщение: Re: proposal: doc: simplify examples of dynamic SQL