问题
I have a function in Postgres:
CREATE OR REPLACE FUNCTION upsert(sql_insert text, sql_update text)
RETURNS integer AS
$BODY$
BEGIN
EXECUTE sql_insert;
RETURN 1;
EXCEPTION WHEN unique_violation THEN
EXECUTE sql_update;
RETURN 2;
END;
$BODY$
LANGUAGE 'plpgsql' VOLATILE
COST 100;
ALTER FUNCTION upsert(text, text) OWNER TO dce;
I usually use this query to call that function:
select upsert(
$$INSERT INTO zz(a, b) VALUES (66, 'hahahaha')$$,
$$UPDATE zz SET a=66, b='hahahaha' WHERE a=66$$
)
It works. Unfortunately, my query string cannot contain $$
, like this:
select upsert(
$$INSERT INTO zz(a, b) VALUES (66, 'ha$$hahaha')$$,
$$UPDATE zz SET a=66, b='hahahaha' WHERE a=66$$
)
I have read this Postgres documentation but still need assistance how to do it.
回答1:
So use a different dollar-quote instead:
select upsert( $weird_string$INSERT INTO zz(a, b) VALUES (66, 'ha$$hahaha')$weird_string$, $weird_string$UPDATE zz SET a=66, b='hahahaha' WHERE a=66$weird_string$ )
This still leaves a theoretical chance that the dollar-quote might be matched inside the string.
If you are building the query by hand, just check for $
in the string.
If you are building the query from variables, you could use quote_literal(querystring) instead.
Since Postgres 9.1, there is also the convenient format() function.
As an aside: I assume you are aware that this form of dynamic SQL is extremely vulnerable to SQL injection? Anything of the sort should be for very private or very secure use only.
来源:https://stackoverflow.com/questions/9272007/put-in-dollar-quoted-string-in-postgresql