i new in creating plpgsql function.i need clarifications regarding use of quote_ident() (and quote_literal()) on dynamic commands being executed inside function. hope give me specific explanation on how worked inside function. tia
here's example of it:
execute 'update tbl set ' || quote_ident(colname) || ' = ' || quote_literal(newvalue) || ' key = ' || quote_literal(keyvalue);
quote_ident used identifiers quoting. quote_literal used string quoting.
postgres=# select quote_ident('tablename'); ┌─────────────┐ │ quote_ident │ ╞═════════════╡ │ tablename │ └─────────────┘ (1 row) postgres=# select quote_ident('special name'); ┌────────────────┐ │ quote_ident │ ╞════════════════╡ │ "special name" │ └────────────────┘ (1 row) postgres=# select quote_literal(e'some text special char"\'"'); ┌───────────────────────────────────┐ │ quote_literal │ ╞═══════════════════════════════════╡ │ 'some text special char"''"' │ └───────────────────────────────────┘ (1 row) what identifier? names of tables, columns, schemas, sequences, ... literal? - text value (but can value of type). both function search , replace special chars, different rules - identifiers , strings different in sql.
now - these functions little bit obsolete. quote_literal should replaced clause using (better performance), quote_ident should replaced formatting function format (due better readability):
execute format('update tbl set %i=$1 key=$2', colname) using newvalue, keyvalue; or format function
execute format('update tbls set %i=%l key=%l', colname, newvalue, keyvalue); without quoting dynamic sql a) should not work (fails on syntax error), b) be unsafe against sql injection.
Comments
Post a Comment