C＃Npgsql，支持过程调用吗？

Question

with regards to the new update of postgresSQL (ver 11). Procedures are now supported. Procedures can be created using the CREATE PROCEDURE command and executed using the CALL command.

CREATE PROCEDURE MyInsert(_sno text, _eid text, _sd date)
LANGUAGE SQL
AS $$
    INSERT INTO app_for_leave(sno, eid, sd)
    VALUES(_sno, _eid, _sd);   
$$;

CALL MyInsert('4','5','2013-04-04');

Is the "CALL" supported right now ?

Currently i can only make it work by building a String as a command and then executing it. eg

using (var conn = new NpgsqlConnection(_connectionString))
{
         conn.Open();
          using (var cmd = conn.CreateCommand())
          {
               cmd.CommandText = "CALL MyInsert('4','5','2013-04-04')";
               cmd.ExecuteNonQuery();
          }
         conn.Close();
}

Please do let me know if there is a better way of executing the "MyInsert" without building the query string. This is susceptible to sql injection as it is not a prepared statement.

Thanks in advance !

Answer 1

Creating a regular command with CALL proc_name() is perfectly fine for executing stored procedures - there's nothing else that's needed really. Nothing about this is more or less susceptible to SQL injection: you can still pass parameters as usual by specifying parameter placeholders (eg @param1, @param2). Note that parameters and placeholders also have nothing to do with prepared statements - it's perfectly valid to send parameters (and therefore be protected against SQL injection) with a non-prepared statements

The PostgreSQL protocol doesn't have any special provisions for calling functions or procedures. Even when you use CommandType.StoredProcedure for calling functions, all this does is make Npgsql construct a SELECT func_name() under the hood and send it as a normal command.