Participants
Oliver Kohll
Oliver Kohll
David G. Johnston
David G. Johnston
Attachments
Show all attachments
Thread Outline
#1Oliver KohllOliver Kohll
Apr 13, 2016
#2David G. JohnstonDavid G. Johnstonto Oliver Kohll (#1)
Apr 13, 2016
#3Oliver KohllOliver Kohllto David G. Johnston (#2)
Apr 13, 2016

SET prepared statement

Started by Oliver Kohllalmost 10 years ago3 messagesgeneral
Jump to latest
#1Oliver Kohll
Oliver Kohll
oliver@agilechilli.com

Hello,

We currently use prepared statements for most of the work an app does, as an SQL injection protection and for other reasons.

There's one statement which can't be prepared:

SET LOCAL myprefix.mysetting = 'my setting value';

Ideally, I'd like to be able to do

PREPARE test(text) as SET LOCAL myprefix.mysetting = $1;

but this isn't supported (currently on PG 9.3)

I suspect the answer is 'no' but no harm in asking if it's likely to be considered in future. I can't see it here: https://wiki.postgresql.org/wiki/Todo <https://wiki.postgresql.org/wiki/Todo&gt;

Oliver

#2David G. Johnston
David G. Johnston
david.g.johnston@gmail.com
In reply to: Oliver Kohll (#1)
Re: SET prepared statement

On Wed, Apr 13, 2016 at 8:38 AM, Oliver Kohll <oliver@agilechilli.com>
wrote:

Hello,

We currently use prepared statements for most of the work an app does, as
an SQL injection protection and for other reasons.

There's one statement which can't be prepared:

SET LOCAL myprefix.mysetting = 'my setting value';

Ideally, I'd like to be able to do

PREPARE test(text) as SET LOCAL myprefix.mysetting = $1;

but this isn't supported (currently on PG 9.3)

I suspect the answer is 'no' but no harm in asking if it's likely to be
considered in future. I can't see it here:
https://wiki.postgresql.org/wiki/Todo

​Given that you can simply use the "set_config(...)" function I'd say that
this command will have not particular in the decision work on improving
this limitation in the system.

http://www.postgresql.org/docs/9.5/interactive/functions-admin.html#FUNCTIONS-ADMIN-SET

​David J.​

#3Oliver Kohll
Oliver Kohll
oliver@agilechilli.com
In reply to: David G. Johnston (#2)
Re: SET prepared statement

On 13 Apr 2016, at 16:48, David G. Johnston <david.g.johnston@gmail.com> wrote:

On Wed, Apr 13, 2016 at 8:38 AM, Oliver Kohll <oliver@agilechilli.com <mailto:oliver@agilechilli.com>> wrote:
Hello,

We currently use prepared statements for most of the work an app does, as an SQL injection protection and for other reasons.

There's one statement which can't be prepared:

SET LOCAL myprefix.mysetting = 'my setting value';

Ideally, I'd like to be able to do

PREPARE test(text) as SET LOCAL myprefix.mysetting = $1;

but this isn't supported (currently on PG 9.3)

I suspect the answer is 'no' but no harm in asking if it's likely to be considered in future. I can't see it here: https://wiki.postgresql.org/wiki/Todo <https://wiki.postgresql.org/wiki/Todo&gt;

​Given that you can simply use the "set_config(...)" function I'd say that this command will have not particular in the decision work on improving this limitation in the system.

http://www.postgresql.org/docs/9.5/interactive/functions-admin.html#FUNCTIONS-ADMIN-SET <http://www.postgresql.org/docs/9.5/interactive/functions-admin.html#FUNCTIONS-ADMIN-SET&gt;

​David J.​

Ah excellent, I should have seen that, thanks.

Oliver

← Back to Topics