'plpgsql executing dynamic command why prefer identifier $1,$2 than raw string value

The command string can use parameter values, which are referenced in the command as $1, $2, etc. These symbols refer to values supplied in the USING clause. This method is often preferable to inserting data values into the command string as text: it avoids run-time overhead of converting the values to text and back, and it is much less prone to SQL-injection attacks since there is no need for quoting or escaping. An example is:

EXECUTE 'SELECT count(*) FROM mytable WHERE inserted_by = $1 AND inserted <= $2'
   INTO c
   USING checked_user, checked_date

https://www.postgresql.org/docs/13/plpgsql-statements.html#PLPGSQL-STATEMENTS-EXECUTING-DYN
https://github.com/postgres/postgres/tree/master/src/pl/plpgsql/src

using $1,$2 the database know it refer to function parameter list identifier ordered from left to right. otherwise, the database need to the text compare with the function parameter list? Is possible to tell me which line of the source code is doing this execution. who it will prone SQL-injection, any simple example.

plpgsql

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source

'plpgsql executing dynamic command why prefer identifier $1,$2 than raw string value

Sources

Related Questions