Обсуждение: DO Statement Body Parameters

Поиск
Список
Период
Сортировка

DO Statement Body Parameters

От
"David Johnston"
Дата:
I think I understand what is happening but am curious if something along
these lines can be accomplished?
Consider the following SQL statement (executed via JDBC against a 9.0.3
installation):

DO $$ BEGIN PERFORM someexistingfunction ( ? ); END; $$

It appears that such a format is invalid since JDBC will not provide any
parameter hooks and as written the SQL parser does not like the unquoted
question mark (it works fine with real values in place of the '?').

My guess is that the anonymous function created by DO is immediately
"compiled" and thus the placeholder never gets a chance to be replaced with
a real value.

Given that you cannot place function parameters onto the DO statement (i.e.,
DO (varchar, varchar) $$  $$;) the only way to use DO is to build the full
SQL by hand and introduce possible SQL Injection weaknesses into the system.

Is this a conscious design decision in order to address the complexity of
making a DO statement possible at all or is it an oversight that is or could
be planned for future correction?  Or should it work except for some
limitation of JDBC?  I am not sure how I'd go about testing a parameterized
query without using JDBC...

Thanks

David J.







Re: DO Statement Body Parameters

От
Willy-Bas Loos
Дата:
On Thu, Mar 24, 2011 at 1:33 AM, David Johnston <polobo@yahoo.com> wrote:
I am not sure how I'd go about testing a parameterized
query without using JDBC...

How about this? 

HTH,

WBL








--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general



--
"Patriotism is the conviction that your country is superior to all others because you were born in it." -- George Bernard Shaw

Re: DO Statement Body Parameters

От
Pavel Stehule
Дата:
2011/3/24 Willy-Bas Loos <willybas@gmail.com>:
> On Thu, Mar 24, 2011 at 1:33 AM, David Johnston <polobo@yahoo.com> wrote:
>>
>> I am not sure how I'd go about testing a parameterized
>> query without using JDBC...
>
> How about this?
> http://www.postgresql.org/docs/9.0/interactive/sql-prepare.html
> HTH,
> WBL

you can't prepare a DO statement - it has no plan :(. I worked on
parametrized DO statement, but this patch was rejected as premature
optimalization.

Regards

Pavel Stehule

>>
>>
>>
>>
>>
>>
>>
>> --
>> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-general
>
>
>
> --
> "Patriotism is the conviction that your country is superior to all others
> because you were born in it." -- George Bernard Shaw
>