Re: RfD: more powerful "any" types

2009/9/14 Merlin Moncure <mmoncure@gmail.com>:
> On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule <pavel.stehule@gmail.com> wrote:
>>> How is it any worse than what people can already do? Anyone who isn't aware
>>> of the dangers of SQL injection has already screwed themselves. You're
>>> basically arguing that they would put a variable inside of quotes, but they
>>> would never use ||.
>>
>> simply - people use functions quote_literal or quote_ident.
>
> you still have use of those functions:
> execute sprintf('select * from %s', quote_ident($1));
>
> sprintf is no more or less dangerous than || operator.

sure. I commented different feature

some := 'select * from $1'

regards
Pavel

p.s. In this case, I am not sure what is more readable:

execute 'select * from ' || quote_ident($1)

is readable well too.




>
> merlin
>