2009/9/13 decibel <deci...@decibel.org>: > On Sep 12, 2009, at 5:54 PM, Andrew Dunstan wrote: >> >> decibel wrote: >>> >>> Speaking of concatenation... >>> >>> Something I find sorely missing in plpgsql is the ability to put >>> variables inside of a string, ie: >>> >>> DECLARE >>> v_table text := ... >>> v_sql text; >>> BEGIN >>> v_sql := "SELECT * FROM $v_table"; >>> >>> Of course, I'm assuming that if it was easy to do that it would be done >>> already... but I thought I'd just throw it out there. >>> >> >> Then use a language that supports variable interpolation in strings, like >> plperl, plpythonu, plruby .... instead of plpgsql. > > > Which makes executing SQL much, much harder. > > At least if we get sprintf dealing with strings might become a bit easier...
This feature is nice - but very dangerous - it the most easy way how do vulnerable (on SQL injection) application! regards Pavel Stehule > -- > Decibel!, aka Jim C. Nasby, Database Architect deci...@decibel.org > Give your computer some brain candy! www.distributed.net Team #1828 > > > -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
