| From: | Tino Wildenhain <tino(at)wildenhain(dot)de> |
|---|---|
| To: | "surabhi(dot)ahuja" <surabhi(dot)ahuja(at)iiitb(dot)ac(dot)in> |
| Cc: | Richard Huxton <dev(at)archonet(dot)com>, Stephan Szabo <sszabo(at)megazone(dot)bigpanda(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: a stored procedure ..with integer as the parameter |
| Date: | 2005-10-25 05:52:07 |
| Message-ID: | 1130219528.23228.57.camel@Andrea.peacock.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Am Dienstag, den 25.10.2005, 10:24 +0530 schrieb surabhi.ahuja:
> oops i am sorry,
> i mean from the client i ll be getting values (which i need to insert
> into the table) in the form of strings:
>
> and i form the insert command as follows:
>
> function(char *a, char *b, char *c)
> {
> char command[1024];
> sprintf(command, "select insert('%s','%s','%s')", a,b,c);
> execute the above command;
> }
>
> the above is just the pseudo code
>
> the stored procedure in turn is as follows (psudocode):
>
> insert(smallint , smallint, varchar(256))
> begin
> insert into table 1 values ($1, $2, $3);
> end
I'm not sure this serves much purpose if it isnt just
for experimenting ;)
char -> int is simply done by casting (even automatically)
so your insert reduces to:
INSERT INTO table1 (col_a,col_b,col_c) VALUES (a,b,c);
(with or w/o stored function)
simply sprintf into a string can be a very serious
security hole btw.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paresh Bafna | 2005-10-25 05:57:08 | Creating table in different database |
| Previous Message | surabhi.ahuja | 2005-10-25 04:54:38 | Re: a stored procedure ..with integer as the parameter |