2009/8/26 A. Kretschmer <andreas.kretschmer@schollglas.com>:
> In response to Nacef LABIDI :
>> Hi all,
>>
>> I want to write a function that takes as param a comma separated values string
>> and perform a select matching these values.
>>
>> Here is the string '1,3,7,8'
>>
>> And I wan to perform a : SELECT * FROM my_table WHERE id IN (1, 3, 7, 8);
>
> Use EXECUTE sql_string, see
> http://www.postgresql.org/docs/8.4/interactive/plpgsql-control-structures.html
>
> For instance, simple example, untested:
>
Hello
> create function foo (my_string) returns setof record as $$
> declare
> sql text;
> begin
> sql:='SELECT * FROM my_table WHERE id IN (' || $1 || ')';
> return query execute sql;
> end;
>
It's dangerous solution - there can be sql injection attack
regards
Pavel Stehule
> The variable sql contains the whole query, and then execute that.
>
> HTH, Andreas
> --
> Andreas Kretschmer
> Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header)
> GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
>
> --
> Sent via pgsql-sql mailing list (pgsql-sql@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-sql
>
