Re: Pass where clause to a function

On Thu, Aug 14, 2014 at 1:17 AM, John R Pierce <pierce(at)hogranch(dot)com> wrote:
> On 8/13/2014 10:59 PM, Andrew Bartley wrote:
>
> I need this because it is a customer requirement. The underlying tables the
> api will query are dynamically created, they are period/content partitioned
> and distributed across multiple servers and database types... not just
> postgres. The api/function will determine what servers/databases/tables
> (some of them are foreign tables) to query based on the parameters passed to
> the api. The customer wants to use their current reporting tool that does
> not support function selects.
>
>
> I don't know how you would pass those expression fragments to a view to be
> passed to the function, however.
>
> what you describe above (and in the rest of your post) sounds very
> convoluted, and rather prone to poor performance.

Also be advised that sending user generated raw text to an EXECUTE'd
statement is a horrible injection risk. It's still ok (somtimes) but
only in a 100% trust situation. Perhaps you could add a little bit of
safety by adding making two arguments: comparison field and comparison
value and using quote_ident/quote_literal around them; it's a good
habit to use quote_xx around any token that is possible to be supplied
by a human.

merlin