Prepare/Execute silently discards prohibited ORDER BY values

Tested On: 9.4.1, 9.3.6
Severity: minor
Summary: PREPARE/EXECUTE appears to silently discard ORDER BY parameters.

josh=# \d test
Table "public.test"
Column | Type | Modifiers
--------+------+-----------
test | text |

josh=# insert into test values ('test1'),('test9'),('test3'),('test2');
INSERT 0 4

josh=# prepare foo as select * from test order by $1;
PREPARE

josh=# execute foo('test');
test
-------
test1
test9
test3
test2
(4 rows)

josh=# explain analyze
josh-# execute foo('test');
QUERY PLAN

---------------------------------------------------------------------------------------------------
Seq Scan on test (cost=0.00..23.10 rows=1310 width=32) (actual
time=0.007..0.007 rows=4 loops=1)
Execution time: 0.026 ms
(2 rows)

What appears to be happening is that the prohibited parameter for ORDER
BY is being silently discarded during EXECUTE. At first I thought it
might just be doing ORDER BY 'test' in the background, but that's not it:

josh=# select * from test order by 'test';
ERROR: non-integer constant in ORDER BY
LINE 1: select * from test order by 'test';

josh=# execute foo(1);
test
-------
test1
test9
test3
test2
(4 rows)

josh=# select * from pg_prepared_statements ;
name | statement |
prepare_time | parameter_types | from_sql
------+------------------------------------------------+-------------------------------+-----------------+----------
foo | prepare foo as select * from test order by $1; | 2015-05-11
16:52:55.369479-07 | {text} | t
(1 row)

So something else is happening here. What should probably be happening
is that PREPARE should throw an error if it gets a parameter in the
ORDER BY clause.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com