Re: Prepared statements with bind parameters for DDL

Martijn van Oosterhout <kleptog@svana.org> writes:
> On Wed, Feb 11, 2015 at 02:22:10PM -0500, Tom Lane wrote:
>> Nope.  DDL commands generally don't have any support for evaluating
>> expressions, which would be the context in which parameters would
>> be useful.  Nor have they got plans, which would be the requirement
>> for prepared statements to be good for much either.

> Not really true, there are plenty of cases where you just want to fill
> in literals without having to worry about quoting. For example:

> DROP TABLE %s

True, but that is not what Postgres thinks is a parameter; for example
you cannot do "SELECT * FROM %s", nor could you persuade it to interpret a
parameter as a column reference in a SELECT.

> ... is opening yourself up to SQL injection. I've wondered if it were
> possible to be able to say:

> DROP TABLE IDENTIFIER($1);

A meta-function like that would just provide a different route for SQL
injection, I suspect, particularly when attacking applications that
hadn't gotten the memo about "IDENTIFIER()" being magic.

I think there's considerable value in a client-library function for safe
interpolation of this sort, but I doubt that trying to shoehorn it into
the server is the answer.

            regards, tom lane