Gregory Stark <st...@enterprisedb.com> writes: > There's an argument to be made that the code is easier to audit if you put the > "%s" format string in explicitly too.
Yeah, the risk this is trying to guard against is variables containing "%" unexpectedly. Even if that's not possible, it requires some work to verify and it's a bit fragile. I didn't look at the specific cases yet but in general I think this is a good policy. One thing to watch out for is that the intention may have been to allow the strings to be translated. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers