Hello,

this proposal change older unaccepted proposal
http://archives.postgresql.org/pgsql...3/msg01157.php .

Changes:
* based on prepared statements
* syntax and behave is near to Oracle
* usable as protection from SQL injection

New syntax:

a) EXECUTE stringexpr
[INTO [STRICT] varlist
[USING exprlist]

b) FOR varlist IN EXECUTE stringexpr USING exprlist LOOP ....

Reason:
* defence from SQL injection
* more readable, shorter, more comfortable

Sample (secure dynamic statement):
EXECUTE
'SELECT * FROM ' ||
CASE tblname
WHEN 'tab1' THEN 'tab1'
WHEN 'tab2' THEN 'tab2'
ELSE '"some is wrong"' END ||
' WHERE c1 = $1 AND c2 = $2'
USING unsecure_parameter1, unsecure_parameter2;

Difference between PL/SQL and proposal:
* allow only IN variables
* use PostgreSQL placeholders notation - "$"n instead ":"n

Compliance with PL/SQL
* You can use numeric, character, and string literals as bind arguments
* You cannot use bind arguments to pass the names of schema objects to
a dynamic SQL statement.

Best regards

Pavel Stehule

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq