On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
> Why are only select, insert, update, and delete supported for $X binds?
This is a property of the way prepared statements are implemented.
Prepared statement parameters can be used in the place of expressions in
optimizeable statements (the actual parameter substitution is done by
the executor). Hence you can only have parameters in places where you
can have expressions.
> Why can't preparation be used as a global anti-injection facility?
Well, you can't reasonably allow parameters to appear just anywhere in a
statement, if you want to have a hope of parsing the statement: consider
"PREPARE foo AS $1; EXECUTE foo("SELECT 1");", for example.
It would be somewhat more reasonable to allow parameters to be used in
the place of identifiers, but even then, you wouldn't be able to do very
much meaningful analysis or optimization when the statement was prepared
(for example, adding new relations to a SELECT query at EXECUTE-time
could change the semantics of the query). All that work would need to be
deferred to EXECUTE-time, which would largely defeat the purpose of
server-side prepared statements, no?
-Neil
