Re: RfD: more powerful "any" types

2009/9/13 decibel <decibel@decibel.org>:
> On Sep 12, 2009, at 5:54 PM, Andrew Dunstan wrote:
>>
>> decibel wrote:
>>>
>>> Speaking of concatenation...
>>>
>>> Something I find sorely missing in plpgsql is the ability to put
>>> variables inside of a string, ie:
>>>
>>> DECLARE
>>> v_table text := ...
>>> v_sql text;
>>> BEGIN
>>> v_sql := "SELECT * FROM $v_table";
>>>
>>> Of course, I'm assuming that if it was easy to do that it would be done
>>> already... but I thought I'd just throw it out there.
>>>
>>
>> Then use a language that supports variable interpolation in strings, like
>> plperl, plpythonu, plruby .... instead of plpgsql.
>
>
> Which makes executing SQL much, much harder.
>
> At least if we get sprintf dealing with strings might become a bit easier...

This feature is nice - but very dangerous - it the most easy way how
do vulnerable (on SQL injection) application!

regards
Pavel Stehule

> --
> Decibel!, aka Jim C. Nasby, Database Architect  decibel@decibel.org
> Give your computer some brain candy! www.distributed.net Team #1828
>
>
>