| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andrew Hall <andrewah(at)hotmail(dot)com> |
| Cc: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: Dynamic Query |
| Date: | 2009-10-19 22:55:38 |
| Message-ID: | 13151.1255992938@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
Andrew Hall <andrewah(at)hotmail(dot)com> writes:
> Is there a recommended way to translate this function into plpgSQL which would protect me from SQL Injection (most important for me) and use bind variables (of secondary importance?
See quote_literal() and/or quote_nullable(). On the whole though I
think you'd be best off not using a dynamically-constructed query at
all --- given the desired %'s in the LIKE pattern, there is not going
to be any benefit at all from using an unparameterized query. Just
write it out without all the string-construction.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliveiros C, | 2009-10-20 13:39:23 | Re: How to order varchar data by word |
| Previous Message | Andrew Hall | 2009-10-19 22:39:35 | Dynamic Query |