Prepared statements in PostgreSQL

Question

Trying to figure out how to make prepared statements work in plpgsql in order to sanitize my code.

PREPARE statements(text, text, text, text, text, text, text, text, text, text, text, text) AS
                        'SELECT
                            *
                        FROM
                            articles
                        WHERE
                            ' || $1 || ' AND
                            ' || $2 || ' AND
                            primary_category LIKE ''' || $3 || ''' AND
                            ' || $4 || ' AND
                            ' || $5 || ' AND
                            ' || $6 || ' AND
                            ' || $7 || ' AND
                            ' || $8 || ' AND
                            ' || $9 || ' AND
                            ' || $10 || ' AND
                            ' || $11 || ' AND
                            is_template = ' || §12 || ' AND
                            status <> ''DELETED''
                        ORDER BY ' || $13 || ' LIMIT 500';

                    RETURN QUERY EXECUTE statements(search_term, publication_date_query, category_filter, tags_query, districts_query, capability_query, push_notification_query, distance_query, revision_by, publication_priority_query, status_query, only_templates, order_by);

The above code returns

ERROR:  syntax error at or near "'SELECT
                        *
                    FROM
                        articles
                    WHERE
                        '"
LINE 67:      'SELECT

I declade my variables like so:

DECLARE
tags_query text := 'true';
BEGIN
        IF char_length(search_term) > 0 THEN
            order_by := 'ts_rank_cd(textsearchable_index_col, to_tsquery(''' || search_term || ':*''))+GREATEST(0,(-1*EXTRACT(epoch FROM age(last_edited)/86400))+60)/60 DESC';
            search_term := 'to_tsquery(''' || search_term || ':*'') @@ textsearchable_index_col';
        ELSE
            search_term := 'true';
        END IF;
...

I am new at this, please don't freak out immediately, if it is something silly, i did not notice.

Edit: PostgreSQL Version 9.6

Edit: I am aware of the documentation .

Answer 1

I see more issues.

1. PLpgSQL doesn't support explicitly prepared commands - so SQL EXECUTE command is different than PLpgSQL EXECUTE command. Parameter of PLpgSQL EXECUTE command is SQL string - not name of prepared command. There are not clean way, how to execute SQL explicitly prepared command from PLpgSQL. So, combination PREPARE cmd(); EXECUTE cmd() PREPARE cmd(); EXECUTE cmd() in PLpgSQL has not any sense.
2. Parameter of prepared statement should by clean value - it cannot be used inside apostrophes. ` ' $n ' is another nonsense. Just $n is safe. ' $n ' means string " $n " what is probably different, than you are expecting.