| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andreas Wenk <a(dot)wenk(at)netzmeister-st-pauli(dot)de> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: fulltext search udf |
| Date: | 2009-06-10 16:16:25 |
| Message-ID: | 6990.1244650585@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Andreas Wenk <a(dot)wenk(at)netzmeister-st-pauli(dot)de> writes:
> EXECUTE 'INSERT INTO produkte
> (art_nr,bezeichnung,beschreibung,preis,steuersatz,aktionspreis,stichworte,vector)
> VALUES
> ('''||art_nr||''','''||bezeichnung||''','''||beschreibung||''','||preis||',
> '||steuersatz||','||aktionspreis||','''||stichworte||''','||vect||')';
This is not going to work with such a half-baked approach to quoting the
data values --- any value with ' or \ in it will break it. You could
use quote_literal(), but I wonder why you are bothering with EXECUTE at
all. If you just did the INSERT directly it would run faster and be a
lot less ugly.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gus Gutoski | 2009-06-10 16:49:30 | help with data recovery from injected UPDATE |
| Previous Message | Andreas Wenk | 2009-06-10 15:53:53 | fulltext search udf |