函数中的Postgres语法错误 [英] Postgres syntax error in a function
问题描述
我正在尝试创建一个函数,但在以下代码中找不到我的错误:
I am trying to create a function and I can't find my error in the following code:
CREATE OR REPLACE FUNCTION qwat_od.fn_label_create_fields(table_name varchar, position boolean = true, rotation boolean = true) RETURNS void AS
$BODY$
BEGIN
/* Creates columns */
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_1_visible smallint default 1; ';
IF position IS TRUE THEN
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_1_x double precision default null;';
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_1_y double precision default null;';
END IF;
IF rotation IS TRUE THEN
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_1_rotation double precision default null;';
END IF;
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_1_text varchar(120);';
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_2_visible smallint default 1; ';
IF position IS TRUE THEN
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_2_x double precision default null;';
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_2_y double precision default null;';
END IF;
IF rotation IS TRUE THEN
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_2_rotation double precision default null;';
END IF;
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD COLUMN label_2_text varchar(120);';
/* Creates constraints */
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD CONSTRAINT '||table_name||'_label_1_visible FOREIGN KEY (label_1_visible) REFERENCES qwat_vl.visible(vl_code_int) MATCH FULL; CREATE INDEX fki_'||table_name||'_label_1_visible ON qwat_od.'||table_name||'(label_1_visible);';
EXECUTE 'ALTER TABLE qwat_od.'||table_name||' ADD CONSTRAINT '||table_name||'_label_2_visible FOREIGN KEY (label_2_visible) REFERENCES qwat_vl.visible(vl_code_int) MATCH FULL; CREATE INDEX fki_'||table_name||'_label_2_visible ON qwat_od.'||table_name||'(label_2_visible);';
END;
$BODY$
LANGUAGE 'plpgsql';
我明白了:
ERROR: syntax error at or near "position"
LINE 4: ...wat_od.fn_label_create_fields(table_name varchar, position b...
我在参数声明中做错了吗?
Did I do something wrong in the declaration of arguments?
推荐答案
@ pozs已经为您看到的错误提供了一个解释.
但是还有更多.最重要的是,您可以公开使用 SQL注入 .
@pozs already provided an explanation for the error you saw.
But there is more. Most importantly, you are wide open to SQL injection.
CREATE OR REPLACE FUNCTION qwat_od.fn_label_create_fields(_tbl text, _position bool = true, _rotation bool = true)
RETURNS void AS
$func$
BEGIN
/* Creates columns */
EXECUTE format('ALTER TABLE qwat_od.%I ADD COLUMN label_1_visible smallint default 1', _tbl);
IF _position THEN
EXECUTE format('ALTER TABLE qwat_od.%I
ADD COLUMN label_1_x double precision default null
, ADD COLUMN label_1_y double precision default null', _tbl);
END IF;
IF _rotation THEN
EXECUTE format('ALTER TABLE qwat_od.%I ADD COLUMN label_1_rotation double precision default null' , _tbl);
END IF;
EXECUTE format('ALTER TABLE qwat_od.%I
ADD COLUMN label_1_text varchar(120)
, ADD COLUMN label_2_visible smallint default 1', _tbl);
IF _position THEN
EXECUTE format('ALTER TABLE qwat_od.%I
ADD COLUMN label_2_x double precision default null
, ADD COLUMN label_2_y double precision default null', _tbl);
END IF;
IF _rotation THEN
EXECUTE format('ALTER TABLE qwat_od.%I ADD COLUMN label_2_rotation double precision default null', _tbl);
END IF;
EXECUTE format('ALTER TABLE qwat_od.%I ADD COLUMN label_2_text varchar(120)', _tbl);
/* Creates constraints */
EXECUTE format('ALTER TABLE qwat_od.%$1I
ADD CONSTRAINT %$2I FOREIGN KEY (label_1_visible) REFERENCES qwat_vl.visible(vl_code_int)
, ADD CONSTRAINT %$3I FOREIGN KEY (label_2_visible) REFERENCES qwat_vl.visible(vl_code_int);
CREATE INDEX %$4I ON qwat_od.%$1I(label_1_visible);
CREATE INDEX %$5I ON qwat_od.%$1I(label_2_visible)'
, _tbl
, _tbl || '_label_1_visible'
, _tbl || '_label_2_visible'
, 'fki_' || _tbl || '_label_1_visible'
, 'fki_' || _tbl || '_label_2_visible');
END
$func$ LANGUAGE plpgsql;
-
确保使用明确,有效的参数名称(
position
是 保留字 是主要错误).Be sure to use unambiguous, valid parameter names (
position
being a reserved word was the primary error).我修复了
format()
的SQL注入问题(因为使用regclass
的简单解决方案并未涵盖您的并置名称,如@pozs所述).详细说明:I fixed your SQL injection issues with
format()
(since the simple solution withregclass
didn't cover your concatenated names, as commented by @pozs). Detailed explanation:- INSERT with dynamic table name in trigger function
- Table name as a PostgreSQL function parameter
_tbl
必须是不合格的表名("tbl"
,而不是"schema.tbl"
)._tbl
has to be the unqualified table name ("tbl"
, not"schema.tbl"
).不引用语言名称,它是一个标识符:
LANGUAGE plpgsql
Don't quote the language name, it's an identifier:
LANGUAGE plpgsql
在单个
ALTER TABLE
语句.It's cheaper to add multiple columns / sonstraints in a single
ALTER TABLE
statement.其他各种简化/优化.
这篇关于函数中的Postgres语法错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!