On Thu, Jul 28, 2011 at 4:18 AM, Sim Zacks <sim@xxxxxxxxxxxxxx> wrote: > I need an eval function that will evaluate a valid SQL expression and return > the value. > > I've seen variations of this asked before with no real answer. > > I wrote a function to handle it, but it looks like there should be a better > way to do this (see below). > > My use case is a table with date range definitions that should be evaluated > dynamically: > There's a major security cost to doing things this way, btw. If you have a function that is doing this and can possibly be called by the client app, then you have the possibility of sql injection. Similarly if any function's arguments can be parsed this way, it's also a potential issue. I know you are doing a lot of your work in PL/Python. The plpgsql code is pretty straight-forward and I am not sure there is any issue in just simply adding a couple lines of code to relevant PL/Pgsql functions to avoid making this an interface. With PL/Python, I wonder if it wouldn't be a bad idea to create a separate class which can handle this and pass the data down that way. But I would try to avoid exposing portions of dynamic SQL to a SQL-level API. Just my $0.02 Best Wishes, Chris Travers -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
