You must defend against SQL injectionwhenever you turn user input into code. That includes table and column names coming from system catalogs or from direct user input alike. This way you also prevent trivial exceptions with non-standard identifiers. There are basically threebuilt-in methods:

每当您将用户输入转换为代码时，您都必须防范SQL 注入。这包括来自系统目录或直接用户输入的表名和列名。通过这种方式，您还可以防止使用非标准标识符的微不足道的异常。基本上有三种内置方法：

1. format()

1. format()

1st query, sanitized:

第一个查询，已清理：

CREATE OR REPLACE FUNCTION foo(_t text)
  RETURNS void AS
$func$
BEGIN
   EXECUTE format('
   ALTER TABLE %I ADD COLUMN c1 varchar(20)
                , ADD COLUMN c2 varchar(20)', _t);
END
$func$  LANGUAGE plpgsql;

format()requires Postgres 9.1 or later. Use it with the %Iformat specifier.

format()需要 Postgres 9.1 或更高版本。将它与%I格式说明符一起使用。

The table name alone may be ambiguous. You may have to provide the schema name to avoid changing the wrong table by accident. Related:

单独的表名可能不明确。您可能必须提供架构名称以避免意外更改错误的表。有关的：

• INSERT with dynamic table name in trigger function
• How does the search_path influence identifier resolution and the "current schema"

• 在触发器函数中插入动态表名
• search_path 如何影响标识符解析和“当前模式”

Aside: adding multiple columnswith a single ALTER TABLEcommandis cheaper.

另外：使用单个命令添加多个列ALTER TABLE更便宜。

2. regclass

2. regclass

You can also use a cast to a registered class (regclass) for the special case of existingtable names. Optionally schema-qualified. This fails immediately and gracefully for table names that are not be valid and visible to the calling user. The 1st query sanitized with a cast to regclass:

regclass对于现有表名的特殊情况，您还可以使用对注册类 ( ) 的强制转换。可选模式限定。对于无效且对调用用户不可见的表名，这会立即且优雅地失败。第一个查询使用强制转换为regclass：

CREATE OR REPLACE FUNCTION foo(_t regclass)
  RETURNS void AS
$func$
BEGIN
   EXECUTE 'ALTER TABLE '|| _t ||' ADD COLUMN c1 varchar(20)
                                 , ADD COLUMN c2 varchar(20)';
END
$func$  LANGUAGE plpgsql;

Call:

称呼：

SELECT foo('table_name');

Or:

或者：

SELECT foo('my_schema.table_name'::regclass);

Aside: consider using just textinstead of varchar(20).

旁白：考虑使用 justtext代替varchar(20).

3. quote_ident()

3. quote_ident()

The 2nd query sanitized:

第二个查询清理：

CREATE OR REPLACE FUNCTION foo(_t regclass, _c text)
  RETURNS void AS
$func$
BEGIN
   EXECUTE 'UPDATE '|| _t ||'   -- sanitized with regclass
            SET '|| quote_ident(_c) ||' = ''This is a test''';
END
$func$  LANGUAGE plpgsql;

For multiple concatenations / interpolations, format()is cleaner ...

对于多个串联/插值，format()更干净......

Related answers:

相关回答：

• Table name as a PostgreSQL function parameter
• Postgres functions vs prepared queries

• 表名作为 PostgreSQL 函数参数
• Postgres 函数与准备好的查询

Case sensitive!

区分大小写！

Be aware that unquoted identifiers are notcast to lower case here. When used as identifier in SQL Postgres casts to lower case automatically. But here we pass stringsfor dynamic SQL. When escaped as demonstrated, CaMel-case identifiers (like UserS) will be preserved by doublequoting ("UserS"), just like other non-standard names like "name with space""SELECT"etc. Hence, names are case sensitive in this context.

请注意，此处未将未加引号的标识符转换为小写。在 SQL Postgres 中用作标识符时，会自动转换为小写。但在这里我们为动态 SQL传递字符串。当按照演示进行转义时，CaMel 大小写标识符（如UserS）将通过双引号（"UserS"）保留，就像其他非标准名称（如"name with space""SELECT"等）一样。因此，名称在此上下文中区分大小写。

My standing advice is to use legal lower case identifiers exclusively and never worry about that.

我的长期建议是只使用合法的小写标识符，不要担心。

Aside: single quotes for values, double quotes for identifiers.

旁白：值的单引号，标识符的双引号。