Re: Table as argument in postgres function

Поиск
Список
Период
Сортировка
От Corey Huinker
Тема Re: Table as argument in postgres function
Дата
Msg-id CADkLM=fyOe+=JCFkeSXM8sbJEgym9DsuoZAHsfvVyeydOAbUFQ@mail.gmail.com
обсуждение исходный текст
Ответ на Table as argument in postgres function  (RAJIN RAJ K <rajin89@gmail.com>)
Ответы Re: Table as argument in postgres function  (Pavel Stehule <pavel.stehule@gmail.com>)
Список pgsql-hackers
Дерево обсуждения

You can pass table name as text or table object id as regclass type.

inside procedure you should to use dynamic sql - execute statement. Generally you cannot to use a variable as table or column name ever.

Dynamic SQL is other mechanism - attention on SQL injection.

On this note, Snowflake has the ability to to parameterize object names (see: https://docs.snowflake.net/manuals/sql-reference/identifier-literal.html )

So you can do things like
    SELECT col_a, col_b FROM identifier('a_table_name')
or as a bind variable
    SELECT col_a, col_b FROM identifier($1)

Which is their way of avoiding SQL injection attacks in some circumstances. Their implementation of it is a bit uneven, but it has proven useful for my work.

I can see where this obviously would prevent the planning of a prepared statement when a table name is a parameter, but the request comes up often enough, and the benefits to avoiding SQL injection attacks are significant enough that maybe we should try to enable it for one-off. I don't necessarily think we need an identifier(string) function, a 'schema.table'::regclass would be more our style.

Is there anything preventing us from having the planner resolve object names from strings?

В списке pgsql-hackers по дате отправления:

Предыдущее
От: David Rowley
Дата:
Сообщение: Re: Statistical aggregate functions are not working with PARTIAL aggregation
Следующее
От: Pavel Stehule
Дата:
Сообщение: Re: Table as argument in postgres function