Add documentation and tests for quote marks in ECPG literal queries.

ECPG's PREPARE ... FROM and EXECUTE IMMEDIATE can optionally take the target query as a simple literal, rather than the more usual string-variable reference. This was previously documented as being a C string literal, but that's a lie in one critical respect: you can't write a data double quote as \" in such literals. That's because the lexer is in SQL mode at this point, so it'll parse double-quoted strings as SQL identifiers, within which backslash is not special, so \" ends the literal. I looked into making this work as documented, but getting the lexer to switch behaviors at just the right point is somewhere between very difficult and impossible. It's not really worth the trouble, because these cases are next to useless: if you have a fixed SQL statement to execute or prepare, you might as well write it as a direct EXEC SQL, saving the messiness of converting it into a string literal and gaining the opportunity for compile-time SQL syntax checking. Instead, let's just document (and test) the workaround of writing a double quote as an octal escape (\042) in such cases. There's no code behavioral change here, so in principle this could be back-patched, but it's such a niche case I doubt it's worth the trouble. Per report from 1250kv. Discussion: https://postgr.es/m/673825.1603223178@sss.pgh.pa.us

Add documentation and tests for quote marks in ECPG literal queries.
ECPG's PREPARE ... FROM and EXECUTE IMMEDIATE can optionally take the target query as a simple literal, rather than the more usual string-variable reference. This was previously documented as being a C string literal, but that's a lie in one critical respect: you can't write a data double quote as \" in such literals. That's because the lexer is in SQL mode at this point, so it'll parse double-quoted strings as SQL identifiers, within which backslash is not special, so \" ends the literal. I looked into making this work as documented, but getting the lexer to switch behaviors at just the right point is somewhere between very difficult and impossible. It's not really worth the trouble, because these cases are next to useless: if you have a fixed SQL statement to execute or prepare, you might as well write it as a direct EXEC SQL, saving the messiness of converting it into a string literal and gaining the opportunity for compile-time SQL syntax checking. Instead, let's just document (and test) the workaround of writing a double quote as an octal escape (\042) in such cases. There's no code behavioral change here, so in principle this could be back-patched, but it's such a niche case I doubt it's worth the trouble. Per report from 1250kv. Discussion: https://postgr.es/m/673825.1603223178@sss.pgh.pa.us
c16a1bbc · Tom Lane · 3dfb1942 · c16a1bbc · c16a1bbc · c16a1bbc
Commit c16a1bbc authored Oct 22, 2020 by Tom Lane
5 changed files
--- a/doc/src/sgml/ecpg.sgml
+++ b/doc/src/sgml/ecpg.sgml
@@ -7066,7 +7066,7 @@ EXECUTE IMMEDIATE <replaceable class="parameter">string</replaceable>
      <term><replaceable class="parameter">string</replaceable></term>
      <listitem>
       <para>
-        A literal C string or a host variable containing the SQL
+        A literal string or a host variable containing the SQL
        statement to be executed.
       </para>
      </listitem>
@@ -7074,6 +7074,30 @@ EXECUTE IMMEDIATE <replaceable class="parameter">string</replaceable>
    </variablelist>
   </refsect1>
+   <refsect1>
+    <title>Notes</title>
+    <para>
+     In typical usage, the <replaceable>string</replaceable> is a host
+     variable reference to a string containing a dynamically-constructed
+     SQL statement.  The case of a literal string is not very useful;
+     you might as well just write the SQL statement directly, without
+     the extra typing of <command>EXECUTE IMMEDIATE</command>.
+    </para>
+    <para>
+     If you do use a literal string, keep in mind that any double quotes
+     you might wish to include in the SQL statement must be written as
+     octal escapes (<literal>\042</literal>) not the usual C
+     idiom <literal>\"</literal>.  This is because the string is inside
+     an <literal>EXEC SQL</literal> section, so the ECPG lexer parses it
+     according to SQL rules not C rules.  Any embedded backslashes will
+     later be handled according to C rules; but <literal>\"</literal>
+     causes an immediate syntax error because it is seen as ending the
+     literal.
+    </para>
+   </refsect1>
   <refsect1>
    <title>Examples</title>
@@ -7388,7 +7412,7 @@ EXEC SQL OPEN :curname1;
   <refsynopsisdiv>
 <synopsis>
-PREPARE <replaceable class="parameter">name</replaceable> FROM <replaceable class="parameter">string</replaceable>
+PREPARE <replaceable class="parameter">prepared_name</replaceable> FROM <replaceable class="parameter">string</replaceable>
 </synopsis>
   </refsynopsisdiv>
@@ -7421,15 +7445,40 @@ PREPARE <replaceable class="parameter">name</replaceable> FROM <replaceable clas
      <term><replaceable class="parameter">string</replaceable></term>
      <listitem>
       <para>
-        A literal C string or a host variable containing a preparable
+        A literal string or a host variable containing a preparable
-        statement, one of the SELECT, INSERT, UPDATE, or
+        SQL statement, one of SELECT, INSERT, UPDATE, or DELETE.
-        DELETE.
+        Use question marks (<literal>?</literal>) for parameter values
+        to be supplied at execution.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </refsect1>
+   <refsect1>
+    <title>Notes</title>
+    <para>
+     In typical usage, the <replaceable>string</replaceable> is a host
+     variable reference to a string containing a dynamically-constructed
+     SQL statement.  The case of a literal string is not very useful;
+     you might as well just write a direct SQL <command>PREPARE</command>
+     statement.
+    </para>
+    <para>
+     If you do use a literal string, keep in mind that any double quotes
+     you might wish to include in the SQL statement must be written as
+     octal escapes (<literal>\042</literal>) not the usual C
+     idiom <literal>\"</literal>.  This is because the string is inside
+     an <literal>EXEC SQL</literal> section, so the ECPG lexer parses it
+     according to SQL rules not C rules.  Any embedded backslashes will
+     later be handled according to C rules; but <literal>\"</literal>
+     causes an immediate syntax error because it is seen as ending the
+     literal.
+    </para>
+   </refsect1>
   <refsect1>
    <title>Examples</title>
 <programlisting>

--- a/src/interfaces/ecpg/preproc/pgc.l
+++ b/src/interfaces/ecpg/preproc/pgc.l
@@ -715,7 +715,14 @@ cppline			{space}*#([^i][A-Za-z]*|{if}|{ifdef}|{ifndef}|{import})((\/\*[^*/]*\*+
 					BEGIN(state_before_str_start);
 					if (literallen == 0)
 						mmerror(PARSE_ERROR, ET_ERROR, "zero-length delimited identifier");
-					/* The backend will truncate the identifier here. We do not as it does not change the result. */
+					/*
+					 * The server will truncate the identifier here.  We do
+					 * not, as (1) it does not change the result; (2) we don't
+					 * know what NAMEDATALEN the server might use; (3) this
+					 * code path is also taken for literal query strings in
+					 * PREPARE and EXECUTE IMMEDIATE, which can certainly be
+					 * longer than NAMEDATALEN.
+					 */
 					base_yylval.str = mm_strdup(literalbuf);
 					return CSTRING;
 				}

--- a/src/interfaces/ecpg/test/expected/sql-execute.c
+++ b/src/interfaces/ecpg/test/expected/sql-execute.c
@@ -77,8 +77,8 @@ if (sqlca.sqlcode < 0) sqlprint();}
 #line 26 "execute.pgc"
-	sprintf(command, "insert into test (name, amount, letter) values ('db: ''r1''', 1, 'f')");
+	/* test handling of embedded quotes in EXECUTE IMMEDIATE "literal" */
-	{ ECPGdo(__LINE__, 0, 1, NULL, 0, ECPGst_exec_immediate, command, ECPGt_EOIT, ECPGt_EORT);
+	{ ECPGdo(__LINE__, 0, 1, NULL, 0, ECPGst_exec_immediate, "insert into test (name, \042amount\042, letter) values ('db: ''r1''', 1, 'f')", ECPGt_EOIT, ECPGt_EORT);
 #line 29 "execute.pgc"
 if (sqlca.sqlcode < 0) sqlprint();}

--- a/src/interfaces/ecpg/test/expected/sql-execute.stderr
+++ b/src/interfaces/ecpg/test/expected/sql-execute.stderr
@@ -10,7 +10,7 @@
 [NO_PID]: sqlca: code: 0, state: 00000
 [NO_PID]: ECPGtrans on line 26: action "commit"; connection "main"
 [NO_PID]: sqlca: code: 0, state: 00000
-[NO_PID]: ecpg_execute on line 29: query: insert into test (name, amount, letter) values ('db: ''r1''', 1, 'f'); with 0 parameter(s) on connection main
+[NO_PID]: ecpg_execute on line 29: query: insert into test (name, "amount", letter) values ('db: ''r1''', 1, 'f'); with 0 parameter(s) on connection main
 [NO_PID]: sqlca: code: 0, state: 00000
 [NO_PID]: ecpg_execute on line 29: using PQexec
 [NO_PID]: sqlca: code: 0, state: 00000

--- a/src/interfaces/ecpg/test/sql/execute.pgc
+++ b/src/interfaces/ecpg/test/sql/execute.pgc
@@ -25,8 +25,8 @@ exec sql end declare section;
 	exec sql create table test (name char(8), amount int, letter char(1));
 	exec sql commit;
-	sprintf(command, "insert into test (name, amount, letter) values ('db: ''r1''', 1, 'f')");
+	/* test handling of embedded quotes in EXECUTE IMMEDIATE "literal" */
-	exec sql execute immediate :command;
+	exec sql execute immediate "insert into test (name, \042amount\042, letter) values ('db: ''r1''', 1, 'f')";
 	sprintf(command, "insert into test (name, amount, letter) values ('db: ''r1''', 2, 't')");
 	exec sql execute immediate :command;