Gregory Stark <stark(at)enterprisedb(dot)com> writes:
> There's an argument to be made that the code is easier to audit if you put the
> "%s" format string in explicitly too.
Yeah, the risk this is trying to guard against is variables containing
"%" unexpectedly. Even if that's not possible, it requires some work
to verify and it's a bit fragile. I didn't look at the specific cases
yet but in general I think this is a good policy.
One thing to watch out for is that the intention may have been to allow
the strings to be translated.
regards, tom lane