| From: | Chris Travers <chris(dot)travers(at)gmail(dot)com> |
|---|---|
| To: | Sim Zacks <sim(at)compulab(dot)co(dot)il> |
| Cc: | PostgreSQL general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: eval function |
| Date: | 2011-07-28 14:46:29 |
| Message-ID: | CAKt_ZfuAPjSQbJa0PkK5fhmrHtrXgFujex1Rsh=Pd1WU+SPpGQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Jul 28, 2011 at 4:18 AM, Sim Zacks <sim(at)compulab(dot)co(dot)il> wrote:
> I need an eval function that will evaluate a valid SQL expression and return
> the value.
>
> I've seen variations of this asked before with no real answer.
>
> I wrote a function to handle it, but it looks like there should be a better
> way to do this (see below).
>
> My use case is a table with date range definitions that should be evaluated
> dynamically:
>
There's a major security cost to doing things this way, btw. If you
have a function that is doing this and can possibly be called by the
client app, then you have the possibility of sql injection. Similarly
if any function's arguments can be parsed this way, it's also a
potential issue.
I know you are doing a lot of your work in PL/Python. The plpgsql
code is pretty straight-forward and I am not sure there is any issue
in just simply adding a couple lines of code to relevant PL/Pgsql
functions to avoid making this an interface. With PL/Python, I wonder
if it wouldn't be a bad idea to create a separate class which can
handle this and pass the data down that way. But I would try to avoid
exposing portions of dynamic SQL to a SQL-level API.
Just my $0.02
Best Wishes,
Chris Travers
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Johnston | 2011-07-28 15:08:32 | Re: eval function |
| Previous Message | Tom Lane | 2011-07-28 14:11:04 | Re: eval function |