Martijn van Oosterhout <kleptog@xxxxxxxxx> writes: > On Wed, Feb 11, 2015 at 02:22:10PM -0500, Tom Lane wrote: >> Nope. DDL commands generally don't have any support for evaluating >> expressions, which would be the context in which parameters would >> be useful. Nor have they got plans, which would be the requirement >> for prepared statements to be good for much either. > Not really true, there are plenty of cases where you just want to fill > in literals without having to worry about quoting. For example: > DROP TABLE %s True, but that is not what Postgres thinks is a parameter; for example you cannot do "SELECT * FROM %s", nor could you persuade it to interpret a parameter as a column reference in a SELECT. > ... is opening yourself up to SQL injection. I've wondered if it were > possible to be able to say: > DROP TABLE IDENTIFIER($1); A meta-function like that would just provide a different route for SQL injection, I suspect, particularly when attacking applications that hadn't gotten the memo about "IDENTIFIER()" being magic. I think there's considerable value in a client-library function for safe interpolation of this sort, but I doubt that trying to shoehorn it into the server is the answer. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
