On Tue, Nov 23, 2021 at 7:21 AM <to...@tuxteam.de> wrote: > Makes sense. Problem is, that, again, the application would be > responsible of making sure the individual values don't contain nasty > stuff (for example, if they are strings) before consolidating them to > one PostgreSQL array literal. > > So long as you actually pass the literal value via a parameter the worst problem you can have is a syntax error in converting the literal into whatever type is being cast to.
I personally tend to just build up a CSV-like string (my data is usually controlled enough the using the pipe symbol as a separator alleviates escaping concerns) and using string_to_array($1,'|') to get the array of values into the query. David J.