Re: Proposal: PL/pgSQL EXECUTE INTO USING (for 8.4)

This has been saved for the 8.4 release:

http://momjian.postgresql.org/cgi-bin/pgpatches_hold

---------------------------------------------------------------------------

Pavel Stehule wrote:
> Hello,
>
> this proposal change older unaccepted proposal
> http://archives.postgresql.org/pgsql-hackers/2006-03/msg01157.php .
>
> Changes:
> * based on prepared statements
> * syntax and behave is near to Oracle
> * usable as protection from SQL injection
>
> New syntax:
>
> a) EXECUTE stringexpr
> [INTO [STRICT] varlist
> [USING exprlist]
>
> b) FOR varlist IN EXECUTE stringexpr USING exprlist LOOP ....
>
> Reason:
> * defence from SQL injection
> * more readable, shorter, more comfortable
>
> Sample (secure dynamic statement):
> EXECUTE
> 'SELECT * FROM ' ||
> CASE tblname
> WHEN 'tab1' THEN 'tab1'
> WHEN 'tab2' THEN 'tab2'
> ELSE '"some is wrong"' END ||
> ' WHERE c1 = $1 AND c2 = $2'
> USING unsecure_parameter1, unsecure_parameter2;
>
> Difference between PL/SQL and proposal:
> * allow only IN variables
> * use PostgreSQL placeholders notation - "$"n instead ":"n
>
> Compliance with PL/SQL
> * You can use numeric, character, and string literals as bind arguments
> * You cannot use bind arguments to pass the names of schema objects to
> a dynamic SQL statement.
>
> Best regards
>
> Pavel Stehule
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faq

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +