On Mon, Feb 11, 2019 at 11:22 AM Kaleb Akalework
<kaleb.akalework@asg.com> wrote:
> v_sql := ' WITH upd AS ( ';
> v_sql := v_sql || ' UPDATE ' || v_tpc_db_table || ' ';
> v_sql := v_sql || ' SET topic_value = ' || v_replace_str || ' ';
> v_sql := v_sql || ' WHERE topic_value = ''' || p_old_value || ''' ';
> v_sql := v_sql || ' RETURNING 1 ) ';
> v_sql := v_sql || ' SELECT COUNT(*) FROM upd ';
PostgreSQL provides two features to avoid writing SQL-injection prone
code like this. Use one of them.
quote_literal() and related functions
The format() function and its %L and related specifiers.
You can also place "$n" placeholders into the dynamic command as pass
literals in via EXECUTE USING.
Or some combination of the above.
This is all nicely covered in the documentation for pl/pgsql regarding
executing dynamic commands.
https://www.postgresql.org/docs/11/plpgsql-statements.html#PLPGSQL-STATEMENTS-EXECUTING-DYN
David J.
