Hello, this proposal change older unaccepted proposal http://archives.postgresql.org/pgsql-hackers/2006-03/msg01157.php .
Changes: * based on prepared statements * syntax and behave is near to Oracle * usable as protection from SQL injection New syntax: a) EXECUTE stringexpr [INTO [STRICT] varlist [USING exprlist] b) FOR varlist IN EXECUTE stringexpr USING exprlist LOOP .... Reason: * defence from SQL injection * more readable, shorter, more comfortable Sample (secure dynamic statement): EXECUTE 'SELECT * FROM ' || CASE tblname WHEN 'tab1' THEN 'tab1' WHEN 'tab2' THEN 'tab2' ELSE '"some is wrong"' END || ' WHERE c1 = $1 AND c2 = $2' USING unsecure_parameter1, unsecure_parameter2; Difference between PL/SQL and proposal: * allow only IN variables * use PostgreSQL placeholders notation - "$"n instead ":"n Compliance with PL/SQL * You can use numeric, character, and string literals as bind arguments * You cannot use bind arguments to pass the names of schema objects to a dynamic SQL statement. Best regards Pavel Stehule ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq