| From: | "David Johnston" <polobo(at)yahoo(dot)com> |
|---|---|
| To: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | DO Statement Body Parameters |
| Date: | 2011-03-24 00:33:11 |
| Message-ID: | 00b001cbe9bb$0ecca580$2c65f080$@yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
I think I understand what is happening but am curious if something along
these lines can be accomplished?
Consider the following SQL statement (executed via JDBC against a 9.0.3
installation):
DO $$ BEGIN PERFORM someexistingfunction ( ? ); END; $$
It appears that such a format is invalid since JDBC will not provide any
parameter hooks and as written the SQL parser does not like the unquoted
question mark (it works fine with real values in place of the '?').
My guess is that the anonymous function created by DO is immediately
"compiled" and thus the placeholder never gets a chance to be replaced with
a real value.
Given that you cannot place function parameters onto the DO statement (i.e.,
DO (varchar, varchar) $$ $$;) the only way to use DO is to build the full
SQL by hand and introduce possible SQL Injection weaknesses into the system.
Is this a conscious design decision in order to address the complexity of
making a DO statement possible at all or is it an oversight that is or could
be planned for future correction? Or should it work except for some
limitation of JDBC? I am not sure how I'd go about testing a parameterized
query without using JDBC...
Thanks
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | hyelluas | 2011-03-24 00:45:21 | Re: constraint partition issue |
| Previous Message | Peter Eisentraut | 2011-03-23 23:12:14 | Re: Linux, Hungarian charset (Win1250) is supports the hungarian collation? |