Alex Hunsaker <badalex@gmail.com> writes:
> Let me see if I can sum up what I was trying to say:
> [ this can be solved by using or avoiding prepared statements ]
Not really. The place where that argument really fails is inside
server-side functions: you don't get to use query submission protocol
there. But even for client-submitted queries, it's often the case
that there is only one convenient way to do it given a particular
software stack on the client side. If there is more than one way
they're usually radically different notationally, and some of them
might be vulnerable to SQL injection. The comparable thing in plpgsql
is EXECUTE versus direct execution of a query: they're very different
notationally, so unpleasant to convert between, and it's easy to
create a security hole when interpolating parameters in EXECUTE.
I think this is basically a planner problem and should be fixed in the
planner, not by expecting users to make significant changes in
application logic in order to create an indirect effect.
regards, tom lane
