Re: Numerical variables in pqsql statements - Mailing list pgsql-sql

From Thomas F. O'Connell
Subject Re: Numerical variables in pqsql statements
Date
Msg-id F104769F-4833-4E10-892B-8EDCC0AE0E27@sitening.com
Whole thread Raw
In response to Numerical variables in pqsql statements  ("Michael Schmidt" <MichaelMSchmidt@msn.com>)
List pgsql-sql
Michael,

PL/pgSQL variable interpolation works similarly to that in other
popular programming languages. If you have a statement -- whether
it's PERFORM, SELECT INTO, or EXECUTE -- a variable will get
interpolated during parsing if not escaped in a string. Per the
documentation, dynamic values in dynamic queries require special
handling since they might themselves contain quotes:

http://www.postgresql.org/docs/8.0/static/plpgsql-
statements.html#PLPGSQL-STATEMENTS-EXECUTING-DYN

But your temp table statement below is fine if you know that there
will never be quotes in refer_num.

And it would work similarly if you built it dynamically via string
concatenation as a query to be executed with quote_literal escaping
for refer_num.

Typically, you need to protect yourself against user input to a
function. If you're computing values in the function body that you
know to be safe or passing in safe values generated elsewhere in the
application, you're less likely to need to quote your variables
explicitly or to build queries dynamically.

--
Thomas F. O'Connell
Co-Founder, Information Architect
Sitening, LLC

Strategic Open Source: Open Your i™

http://www.sitening.com/
110 30th Avenue North, Suite 6
Nashville, TN 37203-6320
615-469-5150
615-469-5151 (fax)

On Aug 21, 2005, at 7:43 PM, Michael Schmidt wrote:

> Folks,
> I'm sure this is dumb, but I'm a little confused about use of
> numerical variables in pqsql.  It was my impression one had to use
> EXECUTE on a concatenated string including quote_literal() for the
> variable containing the value.  This can be quite a bit of
> trouble.  I just wrote a function that included the statement :
>
> CREATE TEMPORARY TABLE author_names AS
>       SELECT ra.ref_auth_key, a.last_name, a.first_name
>       FROM ref_auth ra INNER JOIN authors a
>       ON (ra.author_num = a.author_key)
>       WHERE ra.ref_num = refer_num;
>
> where refer_num is integer.  This worked (surprisingly, to me).
> So, what is the rule regarding variables?  Would this query work if
> I concatenated a string together, including quote_literal
> (refer_num) and then EXECUTEd it?
>
> Thanks and sorry to be so stupid.



pgsql-sql by date:

Previous
From: andy rost
Date:
Subject: sqlstate 02000 while declaring cursor/freeing prepared statements
Next
From: Michael Fuhr
Date:
Subject: Re: sqlstate 02000 while declaring cursor/freeing prepared statements