Re: Proposal: PL/pgSQL EXECUTE INTO USING (for 8.4)

This has been saved for the 8.4 release:
http://momjian.postgresql.org/cgi-bin/pgpatches_hold

---------------------------------------------------------------------------

Pavel Stehule wrote:
> Hello,
> 
> this proposal change older unaccepted proposal
> http://archives.postgresql.org/pgsql-hackers/2006-03/msg01157.php .
> 
> Changes:
> * based on prepared statements
> * syntax and behave is near to Oracle
> * usable as protection from SQL injection
> 
> New syntax:
> 
> a) EXECUTE stringexpr
>       [INTO [STRICT] varlist
>       [USING exprlist]
> 
> b) FOR varlist IN EXECUTE stringexpr USING exprlist LOOP ....
> 
> Reason:
> * defence from SQL injection
> * more readable, shorter, more comfortable
> 
> Sample (secure dynamic statement):
> EXECUTE
>                  'SELECT * FROM ' ||
>                   CASE tblname
>                              WHEN 'tab1' THEN 'tab1'
>                              WHEN 'tab2' THEN 'tab2'
>                              ELSE '"some is wrong"' END ||
>                   ' WHERE c1 = $1 AND c2 = $2'
>    USING unsecure_parameter1, unsecure_parameter2;
> 
> Difference between PL/SQL and proposal:
> * allow only IN variables
> * use PostgreSQL placeholders notation - "$"n instead ":"n
> 
> Compliance with PL/SQL
> * You can use numeric, character, and string literals as bind arguments
> * You cannot use bind arguments to pass the names of schema objects to
> a dynamic SQL statement.
> 
> Best regards
> 
> Pavel Stehule
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
> 
>                http://www.postgresql.org/docs/faq

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://postgres.enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +