Re: proposal: doc: simplify examples of dynamic SQL
| От | Pavel Stehule |
|---|---|
| Тема | Re: proposal: doc: simplify examples of dynamic SQL |
| Дата | |
| Msg-id | CAFj8pRC+wY-+YWJxUDL6E0w=vGxbeS+tdUQZh+OKmZCCuZkwEQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: proposal: doc: simplify examples of dynamic SQL (Jim Nasby <Jim.Nasby@BlueTreble.com>) |
| Список | pgsql-hackers |
Hi
2014-10-03 5:16 GMT+02:00 Jim Nasby <Jim.Nasby@bluetreble.com>:
On 10/2/14, 6:51 AM, Pavel Stehule wrote:EXECUTE format('UPDATE tbl SET %I = newvalue WHERE key = %L',-1, because of quoting issues
colname, keyvalue)
or
No it isn't. I is 100% safe
EXECUTE format('UPDATE tbl SET %I = newvalue WHERE key = $1',Better, but I think it should really be quote_ident( colname )
colname)
USING keyvalue;A old examples are very instructive, but little bit less readable and maybe too complex for beginners.Honestly, I'm not to fond of either. format() is a heck of a lot nicer than a forest of ||'s, but I think it still falls short of what we'd really want here which is some kind of variable substitution or even a templating language. IE:
Opinions?
EXECUTE 'UDPATE tbl SET $colname = newvalue WHERE key = $keyvalue';
Your proposal significantly increase a work with string. Escaping and quoting depends on context, and should be different in different context. In PHP or Perl, this technique is the most simple backdoor for SQL injection.
Pavel
В списке pgsql-hackers по дате отправления: