Andrew Hall <[email protected]> writes:
> Is there a recommended way to translate this function into plpgSQL which
> would protect me from SQL Injection (most important for me) and use bind
> variables (of secondary importance?
See quote_literal() and/or quote_nullable(). On the whole though I
think you'd be best off not using a dynamically-constructed query at
all --- given the desired %'s in the LIKE pattern, there is not going
to be any benefit at all from using an unparameterized query. Just
write it out without all the string-construction.
regards, tom lane
--
Sent via pgsql-sql mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-sql
