PostgreSQL 中的 EXECUTE 语句语法错误
EXECUTE statement syntax error in PostgreSQL
我正在开发 PostgreSQL 库的扩展,该库将查询的字符串表示形式作为输入。基本上我需要实例化这个基于字符串的查询产生的结果 table,修改它,然后将它传递给另一个函数。
现在我只是想将查询实例化为临时 table,所以我正在使用这个示例查询:
CREATE TEMPORARY TABLE pgr_table (seq INTEGER, path_seq INTEGER, node INTEGER, edge BIGINT, cost DOUBLE PRECISION, agg_cost DOUBLE PRECISION);
EXECUTE 'SELECT gid AS id, source, target, cost, reverse_cost FROM ways;' INTO pgr_table;
但这会导致语法错误,就在 EXECUTE 命令之后。我是不是用错了?
顺便说一下,我知道 SQL 注入和随意使用 EXECUTE 的危险。我正在做的查询不是为前端使用而设计的,我正在遵循我正在修改的库已经提出的设计模式。
你混淆了 SQL execute 和 plpgsql execute - 首先执行准备好的语句并且是 运行 in SQL(如你所试)。第二个是函数 plpgsql 代码的一部分
https://www.postgresql.org/docs/current/static/sql-execute.html
EXECUTE — execute a prepared statement
Oftentimes you will want to generate dynamic commands inside your
PL/pgSQL functions, that is, commands that will involve different
tables or different data types each time they are executed. PL/pgSQL's
normal attempts to cache plans for commands (as discussed in Section
42.10.2) will not work in such scenarios. To handle this sort of problem, the EXECUTE statement is provided:
示例:
t=# prepare s as select now();
PREPARE
t=# execute s;
now
-------------------------------
2017-12-14 12:47:28.844485+00
(1 row)
和 plpgsql:
t=# do
$$
declare
t text;
begin
execute 'select now()' into t;
raise info '%',t;
end;
$$
;
INFO: 2017-12-14 12:48:45.902768+00
DO
updtae
要避免使用动态代码进行注入,请使用函数 format
https://www.postgresql.org/docs/current/static/functions-string.html
Format arguments according to a format string. This function is
similar to the C function sprintf.
我正在开发 PostgreSQL 库的扩展,该库将查询的字符串表示形式作为输入。基本上我需要实例化这个基于字符串的查询产生的结果 table,修改它,然后将它传递给另一个函数。
现在我只是想将查询实例化为临时 table,所以我正在使用这个示例查询:
CREATE TEMPORARY TABLE pgr_table (seq INTEGER, path_seq INTEGER, node INTEGER, edge BIGINT, cost DOUBLE PRECISION, agg_cost DOUBLE PRECISION);
EXECUTE 'SELECT gid AS id, source, target, cost, reverse_cost FROM ways;' INTO pgr_table;
但这会导致语法错误,就在 EXECUTE 命令之后。我是不是用错了?
顺便说一下,我知道 SQL 注入和随意使用 EXECUTE 的危险。我正在做的查询不是为前端使用而设计的,我正在遵循我正在修改的库已经提出的设计模式。
你混淆了 SQL execute 和 plpgsql execute - 首先执行准备好的语句并且是 运行 in SQL(如你所试)。第二个是函数 plpgsql 代码的一部分
https://www.postgresql.org/docs/current/static/sql-execute.html
EXECUTE — execute a prepared statement
Oftentimes you will want to generate dynamic commands inside your PL/pgSQL functions, that is, commands that will involve different tables or different data types each time they are executed. PL/pgSQL's normal attempts to cache plans for commands (as discussed in Section 42.10.2) will not work in such scenarios. To handle this sort of problem, the EXECUTE statement is provided:
示例:
t=# prepare s as select now();
PREPARE
t=# execute s;
now
-------------------------------
2017-12-14 12:47:28.844485+00
(1 row)
和 plpgsql:
t=# do
$$
declare
t text;
begin
execute 'select now()' into t;
raise info '%',t;
end;
$$
;
INFO: 2017-12-14 12:48:45.902768+00
DO
updtae
要避免使用动态代码进行注入,请使用函数 format
https://www.postgresql.org/docs/current/static/functions-string.html
Format arguments according to a format string. This function is similar to the C function sprintf.