有没有人知道检测current_query()的结果是否是预备声明的好方法?
我似乎不能简单地使用字符串函数,因为这可能是准备语句的一个例子:
UPDATE table SET "x" = $1 WHERE "y" = $2 AND "z" = $3
但这不会:
UPDATE table SET "x" = '$1 + $2 = $3' WHERE "y"='$1' AND "z" = 1
是否有其他功能可以与/ {代替current_query()一起使用,或者您有其他想法吗?
答案 0 :(得分:0)
您可以通过在剥离所有字符串的文本后查找\$[[:digit:]]来检测current_query()是否为预准备语句。以下查询可以执行,但在复杂引用嵌套的情况下可能会失败:
with
queries(curr_query) as (
values ($$UPDATE table SET "x" = '$1||''a'' + $2 = $3' WHERE "y"='$1' AND "z" = 1$$),
($$UPDATE table SET "x" = $r1$a$r1$||$1 WHERE "y" = $2 AND "z" = $3||$r1$b$r1$ $$),
($$UPDATE table SET "x" = $1 WHERE "y" = $2 AND "z" = $3$$)
),
stripped as (
select *,
regexp_replace(
regexp_replace(
regexp_replace(curr_query, '(["'']).*?\1', '', 'g'),
'\$([[:alpha:]]*?)\$.*?\$\1\$', '', 'g'),
'\$([[:alpha:]][[:alnum:]]*?)\$.*?\$\1\$', '', 'g') as stripped_query
from queries
)
select *, stripped_query ~ '\$[[:digit:]]' AS is_prepared
from stripped