Put $$ in dollar-quoted string in PostgreSQL

℡╲_俬逩灬. 提交于 2019-12-07 14:33:44

问题


I have a function in Postgres:

CREATE OR REPLACE FUNCTION upsert(sql_insert text, sql_update text) 
RETURNS integer AS
$BODY$
BEGIN
 EXECUTE sql_insert;
 RETURN 1;
EXCEPTION WHEN unique_violation THEN
 EXECUTE sql_update; 
 RETURN 2;
END;
$BODY$
LANGUAGE 'plpgsql' VOLATILE
COST 100;
ALTER FUNCTION upsert(text, text) OWNER TO dce;

I usually use this query to call that function:

select upsert(
  $$INSERT INTO zz(a, b) VALUES (66, 'hahahaha')$$,
  $$UPDATE zz SET a=66, b='hahahaha' WHERE a=66$$
)

It works. Unfortunately, my query string cannot contain $$, like this:

select upsert(
  $$INSERT INTO zz(a, b) VALUES (66, 'ha$$hahaha')$$,
  $$UPDATE zz SET a=66, b='hahahaha' WHERE a=66$$
)

I have read this Postgres documentation but still need assistance how to do it.


回答1:


So use a different dollar-quote instead:

select upsert(
   $weird_string$INSERT INTO zz(a, b) VALUES (66, 'ha$$hahaha')$weird_string$,
   $weird_string$UPDATE zz SET a=66, b='hahahaha' WHERE a=66$weird_string$
   )

This still leaves a theoretical chance that the dollar-quote might be matched inside the string.

If you are building the query by hand, just check for $ in the string. If you are building the query from variables, you could use quote_literal(querystring) instead.

Since Postgres 9.1, there is also the convenient format() function.

As an aside: I assume you are aware that this form of dynamic SQL is extremely vulnerable to SQL injection? Anything of the sort should be for very private or very secure use only.



来源:https://stackoverflow.com/questions/9272007/put-in-dollar-quoted-string-in-postgresql

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!