I want to pass a table name as a parameter in a Postgres function. I tried this code:
CREATE OR REPLACE FUNCTION some_f(param character varying) RETURNS integer
AS $$
BEGIN
IF EXISTS (select * from quote_ident($1) where quote_ident($1).id=1) THEN
return 1;
END IF;
return 0;
END;
$$ LANGUAGE plpgsql;
select some_f('table_name');
And I got this:
ERROR: syntax error at or near "."
LINE 4: ...elect * from quote_ident($1) where quote_ident($1).id=1)...
^
********** Error **********
ERROR: syntax error at or near "."
And here is the error I got when changed to this select * from quote_ident($1) tab where tab.id=1:
ERROR: column tab.id does not exist
LINE 1: ...T EXISTS (select * from quote_ident($1) tab where tab.id...
Probably, quote_ident($1) works, because without the where quote_ident($1).id=1 part I get 1, which means something is selected. Why may the first quote_ident($1) work and the second one not at the same time? And how could this be solved?
For only few, known tables names, it's typically simpler to avoid dynamic SQL and spell out the few code variants in separate functions or in a CASE construct.
That said, your given code can be simplified and improved:
CREATE OR REPLACE FUNCTION some_f(_tbl regclass, OUT result bool)
LANGUAGE plpgsql AS
$func$
BEGIN
EXECUTE format('SELECT (EXISTS (SELECT FROM %s WHERE id = 1))', _tbl)
INTO result;
END
$func$;
Call with schema-qualified name (see below):
SELECT some_f('myschema.mytable'); -- would fail with quote_ident()
Or:
SELECT some_f('"my very uncommon table name"');
Use an OUT parameter to simplify the function. You can assign the result of the dynamic SELECT directly and be done. No need for additional variables and code.
EXISTS does exactly what you want. You get true if the row exists or false otherwise. There are various ways to do this, EXISTS is typically most efficient.
To return integer like your original, cast the boolean result to integer and use OUT result integer instead. But rather just return boolean as demonstrated.
I use the object identifier type regclass as input type for _tbl. That is more convenient here than text input and quote_ident(_tbl) or format('%I', _tbl) because:
.. it prevents SQL injection just as well.
.. it fails immediately and more gracefully if the table name is invalid / does not exist / is invisible to the current user.
.. it works with schema-qualified table names, where a plain quote_ident(_tbl) or format(%I) would fail to resolve the ambiguity. You would have to pass and escape schema and table names separately.
A regclass parameter is only applicable for existing tables, obviously.
I still use format() because it simplifies the syntax (and to demonstrate how it's used), but with %s instead of %I. For more complex queries, format() helps more. For the simple example we could just concatenate:
EXECUTE 'SELECT (EXISTS (SELECT FROM ' || _tbl || ' WHERE id = 1))'
No need to table-qualify the id column while there is only a single table in the FROM list - no ambiguity possible. (Dynamic) SQL commands inside EXECUTE have a separate scope, function variables or parameters are not visible - as opposed to plain SQL commands in the function body.
Here's why you always escape user input for dynamic SQL properly: