Menu
I am just new in creating plpgsql function.I need some clarifications regarding the use of quote_ident() (and even quote_literal()) on dynamic commands being executed inside the function. Hope that anybody could give me a specific explanation on how they worked inside a function. TIA
Here's an example of it:
EXECUTE 'UPDATE tbl SET ' || quote_ident(colname) || ' = ' || quote_literal(newvalue) || ' WHERE key = ' || quote_literal(keyvalue);
373
quote_ident ( text ) → text. Returns the given string suitably quoted to be used as an identifier in an SQL statement string. Quotes are added only if necessary (i.e., if the string contains non-identifier characters or would be case-folded). Embedded quotes are properly doubled.
plpgsql is the name of the language that the function is implemented in. Here, we use this option for PostgreSQL, it Can be SQL, C, internal, or the name of a user-defined procedural language. For backward compatibility, the name can be enclosed by single quotes.
:= is the assignment operator in PL/pgSQL.
The LTRIM() function removes all characters, spaces by default, from the beginning of a string. The RTRIM() function removes all characters, spaces by default, from the end of a string. The BTRIM function is the combination of the LTRIM() and RTRIM() functions.
quote_ident is used for identifiers quoting. quote_literal is used for string quoting.
postgres=# select quote_ident('tablename');
┌─────────────┐
│ quote_ident │
╞═════════════╡
│ tablename │
└─────────────┘
(1 row)
postgres=# select quote_ident('special name');
┌────────────────┐
│ quote_ident │
╞════════════════╡
│ "special name" │
└────────────────┘
(1 row)
postgres=# select quote_literal(e'some text with special char"\'"');
┌───────────────────────────────────┐
│ quote_literal │
╞═══════════════════════════════════╡
│ 'some text with special char"''"' │
└───────────────────────────────────┘
(1 row)
What is identifier? Names of tables, columns, schemas, sequences, ... What is literal? - usually some text value (but can be a value of any type). Both function search and replace some special chars, but with different rules - identifiers and strings are different in SQL.
Now - these functions are little bit obsolete. quote_literal should be replaced by clause USING (better performance), quote_ident should be replaced by formatting function format (due better readability):
EXECUTE format('UPDATE tbl SET %I=$1 WHERE key=$2', colname)
USING newvalue, keyvalue;
or only with format function
EXECUTE format('UPDATE tbls SET %I=%L WHERE key=%L', colname, newvalue, keyvalue);
Without quoting your dynamic SQL a) should not work (fails on syntax error), b) be unsafe against sql injection.
141
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
