On Thu, Aug 14, 2014 at 1:17 AM, John R Pierce <pierce@xxxxxxxxxxxx> wrote: > On 8/13/2014 10:59 PM, Andrew Bartley wrote: > > I need this because it is a customer requirement. The underlying tables the > api will query are dynamically created, they are period/content partitioned > and distributed across multiple servers and database types... not just > postgres. The api/function will determine what servers/databases/tables > (some of them are foreign tables) to query based on the parameters passed to > the api. The customer wants to use their current reporting tool that does > not support function selects. > > > I don't know how you would pass those expression fragments to a view to be > passed to the function, however. > > what you describe above (and in the rest of your post) sounds very > convoluted, and rather prone to poor performance. Also be advised that sending user generated raw text to an EXECUTE'd statement is a horrible injection risk. It's still ok (somtimes) but only in a 100% trust situation. Perhaps you could add a little bit of safety by adding making two arguments: comparison field and comparison value and using quote_ident/quote_literal around them; it's a good habit to use quote_xx around any token that is possible to be supplied by a human. merlin -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
