| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | "A(dot) Kretschmer" <andreas(dot)kretschmer(at)schollglas(dot)com> |
| Cc: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: Selecting values from comma separated string |
| Date: | 2009-08-26 13:33:11 |
| Message-ID: | 162867790908260633l5245f689v88691a08968b4ab0@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
2009/8/26 A. Kretschmer <andreas(dot)kretschmer(at)schollglas(dot)com>:
> In response to Nacef LABIDI :
>> Hi all,
>>
>> I want to write a function that takes as param a comma separated values string
>> and perform a select matching these values.
>>
>> Here is the string '1,3,7,8'
>>
>> And I wan to perform a : SELECT * FROM my_table WHERE id IN (1, 3, 7, 8);
>
> Use EXECUTE sql_string, see
> http://www.postgresql.org/docs/8.4/interactive/plpgsql-control-structures.html
>
> For instance, simple example, untested:
>
Hello
> create function foo (my_string) returns setof record as $$
> declare
> sql text;
> begin
> sql:='SELECT * FROM my_table WHERE id IN (' || $1 || ')';
> return query execute sql;
> end;
>
It's dangerous solution - there can be sql injection attack
regards
Pavel Stehule
> The variable sql contains the whole query, and then execute that.
>
> HTH, Andreas
> --
> Andreas Kretschmer
> Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header)
> GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
>
> --
> Sent via pgsql-sql mailing list (pgsql-sql(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-sql
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-08-26 14:05:08 | Re: Selecting values from comma separated string |
| Previous Message | Pavel Stehule | 2009-08-26 13:32:02 | Re: Selecting values from comma separated string |