Обсуждение: DO Statement Body Parameters
I think I understand what is happening but am curious if something along these lines can be accomplished? Consider the following SQL statement (executed via JDBC against a 9.0.3 installation): DO $$ BEGIN PERFORM someexistingfunction ( ? ); END; $$ It appears that such a format is invalid since JDBC will not provide any parameter hooks and as written the SQL parser does not like the unquoted question mark (it works fine with real values in place of the '?'). My guess is that the anonymous function created by DO is immediately "compiled" and thus the placeholder never gets a chance to be replaced with a real value. Given that you cannot place function parameters onto the DO statement (i.e., DO (varchar, varchar) $$ $$;) the only way to use DO is to build the full SQL by hand and introduce possible SQL Injection weaknesses into the system. Is this a conscious design decision in order to address the complexity of making a DO statement possible at all or is it an oversight that is or could be planned for future correction? Or should it work except for some limitation of JDBC? I am not sure how I'd go about testing a parameterized query without using JDBC... Thanks David J.
On Thu, Mar 24, 2011 at 1:33 AM, David Johnston <polobo@yahoo.com> wrote:
I am not sure how I'd go about testing a parameterized
query without using JDBC...
How about this?
HTH,
WBL
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
--
"Patriotism is the conviction that your country is superior to all others because you were born in it." -- George Bernard Shaw
2011/3/24 Willy-Bas Loos <willybas@gmail.com>: > On Thu, Mar 24, 2011 at 1:33 AM, David Johnston <polobo@yahoo.com> wrote: >> >> I am not sure how I'd go about testing a parameterized >> query without using JDBC... > > How about this? > http://www.postgresql.org/docs/9.0/interactive/sql-prepare.html > HTH, > WBL you can't prepare a DO statement - it has no plan :(. I worked on parametrized DO statement, but this patch was rejected as premature optimalization. Regards Pavel Stehule >> >> >> >> >> >> >> >> -- >> Sent via pgsql-general mailing list (pgsql-general@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-general > > > > -- > "Patriotism is the conviction that your country is superior to all others > because you were born in it." -- George Bernard Shaw >