Re: a stored procedure ..with integer as the parameter

what do u suggest i do then in that case?
i mean how should i make a query - i mean how do i make a command?

________________________________

From: Tino Wildenhain [mailto:tino(at)wildenhain(dot)de]
Sent: Tue 10/25/2005 11:22 AM
To: surabhi.ahuja
Cc: Richard Huxton; Stephan Szabo; pgsql-general(at)postgresql(dot)org
Subject: Re: [GENERAL] a stored procedure ..with integer as the parameter

***********************
Your mail has been scanned by InterScan VirusWall.
***********-***********

Am Dienstag, den 25.10.2005, 10:24 +0530 schrieb surabhi.ahuja:
> oops i am sorry,
> i mean from the client i ll be getting values (which i need to insert
> into the table) in the form of strings:
>
> and i form the insert command as follows:
>
> function(char *a, char *b, char *c)
> {
> char command[1024];
> sprintf(command, "select insert('%s','%s','%s')", a,b,c);
> execute the above command;
> }
>
> the above is just the pseudo code
>
> the stored procedure in turn is as follows (psudocode):
>
> insert(smallint , smallint, varchar(256))
> begin
> insert into table 1 values ($1, $2, $3);
> end

I'm not sure this serves much purpose if it isnt just
for experimenting ;)

char -> int is simply done by casting (even automatically)
so your insert reduces to:

INSERT INTO table1 (col_a,col_b,col_c) VALUES (a,b,c);

(with or w/o stored function)

simply sprintf into a string can be a very serious
security hole btw.