Hello The EXECUTE statement doesn't support a parametrization via SPI_execute_with_args call and PQexecParams too. It can be a security issue. If somebody use a prepared statement as protection to sql injection, then all security goes out, because he has to call EXECUTE without parametrization.
Regards Pavel Stehule -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers