Avoiding SQL injection in Dynamic Queries (in plpgsql) - Mailing list pgsql-general

When writing dynamic commands (those having "EXECUTE 'some SQL
query';), is there a way to prevent interpretation of input parameters
as pieces of SQL commands? Does quote_literal() function implicitly
protect against this unwanted behaviour.

Allan.