DO Statement Body Parameters

From: "David Johnston" <polobo(at)yahoo(dot)com>
To: <pgsql-general(at)postgresql(dot)org>
Subject: DO Statement Body Parameters
Date: 2011-03-24 00:33:11
Message-ID: 00b001cbe9bb$0ecca580$2c65f080$@yahoo.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

I think I understand what is happening but am curious if something along
these lines can be accomplished?
Consider the following SQL statement (executed via JDBC against a 9.0.3
installation):

DO $$ BEGIN PERFORM someexistingfunction ( ? ); END; $$

It appears that such a format is invalid since JDBC will not provide any
parameter hooks and as written the SQL parser does not like the unquoted
question mark (it works fine with real values in place of the '?').

My guess is that the anonymous function created by DO is immediately
"compiled" and thus the placeholder never gets a chance to be replaced with
a real value.

Given that you cannot place function parameters onto the DO statement (i.e.,
DO (varchar, varchar) $$ $$;) the only way to use DO is to build the full
SQL by hand and introduce possible SQL Injection weaknesses into the system.

Is this a conscious design decision in order to address the complexity of
making a DO statement possible at all or is it an oversight that is or could
be planned for future correction? Or should it work except for some
limitation of JDBC? I am not sure how I'd go about testing a parameterized
query without using JDBC...

Thanks

David J.

Responses

Browse pgsql-general by date

  From Date Subject
Next Message hyelluas 2011-03-24 00:45:21 Re: constraint partition issue
Previous Message Peter Eisentraut 2011-03-23 23:12:14 Re: Linux, Hungarian charset (Win1250) is supports the hungarian collation?