Re: Prepared statements with bind parameters for DDL

On Wed, Feb 11, 2015 at 02:22:10PM -0500, Tom Lane wrote:
> deepak <deepak(dot)pn(at)gmail(dot)com> writes:
> > I find that one can't have a prepared statement with bind parameters for a
> > DDL statement,
>
> Nope. DDL commands generally don't have any support for evaluating
> expressions, which would be the context in which parameters would
> be useful. Nor have they got plans, which would be the requirement
> for prepared statements to be good for much either.

Not really true, there are plenty of cases where you just want to fill
in literals without having to worry about quoting. For example:

DROP TABLE %s

is opening yourself up to SQL injection. I've wondered if it were
possible to be able to say:

DROP TABLE IDENTIFIER($1);

where in the grammer IDENTIFIER($x) would be parsed as an identifier
token and the parameter would be required to be a string. You don't
need to evaluate any expressions to make this work, but it saves you
from any quoting issues.

Of course, it gets more complicated if you want to allow cases like:

PREPARE get_by_id AS SELECT * FROM IDENTIFIER($1) WHERE id=$2;

EXECUTE get_by_id('mytable', 400);

But DDL would be a great start.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
-- Arthur Schopenhauer