some daily fix on 1.7 branch

Author: okbob

expected/plpgsql_check_active.out

@@ -3666,9 +3666,10 @@ select * from plpgsql_check_function('dyn_sql_1', security_warnings := true, fat
  Detail: The EXECUTE expression is SQL injection vulnerable.
  Hint: Use quote_ident, quote_literal or format function to secure variable.
  warning:00000:13:EXECUTE:values passed to EXECUTE statement by USING clause was not used
- error:XX000:14:EXECUTE:there is no parameter $1
- Context: SQL statement "select $1"
-(13 rows)
+ error:42P02:14:EXECUTE:there is no parameter $1
+ Query: select $1
+ --            ^
+(14 rows)
 
 drop function dyn_sql_1();
 create type tp as (a int, b int);
@@ -3700,3 +3701,34 @@ select * from plpgsql_check_function('dyn_sql_2', security_warnings := true);
 
 drop function dyn_sql_2();
 drop type tp;
+/*
+ * Should not to work
+ */
+create or replace function dyn_sql_2()
+returns void as $$
+declare
+  r record; 
+  result int;
+begin
+  select 10 a, 20 b into r;
+  raise notice '%', r.a;
+  execute 'select $1.a + $1.b' into result using r;
+  raise notice '%', result;
+end;
+$$ language plpgsql;
+select dyn_sql_2(); --should to fail
+NOTICE:  10
+ERROR:  could not identify column "a" in record data type
+LINE 1: select $1.a + $1.b
+               ^
+QUERY:  select $1.a + $1.b
+CONTEXT:  PL/pgSQL function dyn_sql_2() line 8 at EXECUTE
+select * from plpgsql_check_function('dyn_sql_2', security_warnings := true);
+                         plpgsql_check_function                          
+-------------------------------------------------------------------------
+ error:42703:8:EXECUTE:could not identify column "a" in record data type
+ Query: select $1.a + $1.b
+ --     ^
+(3 rows)
+
+drop function dyn_sql_2();

sql/plpgsql_check_active.sql

@@ -2693,3 +2693,24 @@ select * from plpgsql_check_function('dyn_sql_2', security_warnings := true);
 drop function dyn_sql_2();
 
 drop type tp;
+
+/*
+ * Should not to work
+ */
+create or replace function dyn_sql_2()
+returns void as $$
+declare
+  r record; 
+  result int;
+begin
+  select 10 a, 20 b into r;
+  raise notice '%', r.a;
+  execute 'select $1.a + $1.b' into result using r;
+  raise notice '%', result;
+end;
+$$ language plpgsql;
+
+select dyn_sql_2(); --should to fail
+select * from plpgsql_check_function('dyn_sql_2', security_warnings := true);
+
+drop function dyn_sql_2();

src/check_expr.c

@@ -462,9 +462,14 @@ plpgsql_check_expr_get_string(PLpgSQL_checkstate *cstate, PLpgSQL_expr *expr, bo
 	Const	   *c;
 
 	c = expr_get_const(cstate, expr);
-	*isnull = c && c->constisnull;
+	if (c)
+	{
+		*isnull = c->constisnull;
+
+		return plpgsql_check_const_to_string(c);
+	}
 
-	return plpgsql_check_const_to_string(c);
+	return NULL;
 }
 
 static void

src/stmtwalk.c

@@ -12,6 +12,7 @@
 #include "plpgsql_check.h"
 
 #include "access/tupconvert.h"
+#include "catalog/pg_collation.h"
 #include "catalog/pg_type.h"
 
 #include "nodes/nodeFuncs.h"
@@ -55,7 +56,10 @@ dynsql_param_ref(ParseState *pstate, ParamRef *pref)
 	TupleDesc	tupdesc;
 
 	if (pref->number < 1 || pref->number > nargs)
-		elog(ERROR, "there is no parameter $%d", pref->number);
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_PARAMETER),
+				 errmsg("there is no parameter $%d", pref->number),
+				 parser_errposition(pstate, pref->location)));
 
 	expr = (PLpgSQL_expr *) list_nth(args, pref->number - 1);
 
@@ -72,8 +76,12 @@ dynsql_param_ref(ParseState *pstate, ParamRef *pref)
 		param->paramkind = PARAM_EXTERN;
 		param->paramid = pref->number;
 		param->paramtype = TupleDescAttr(tupdesc, 0)->atttypid;
-		param->paramtypmod = TupleDescAttr(tupdesc, 0)->atttypmod;
-		param->paramcollid = TupleDescAttr(tupdesc, 0)->attcollation;
+
+		/*
+		 * SPI_execute_with_args doesn't allow pass typmod.
+		 */
+		param->paramtypmod = -1;
+		param->paramcollid = DEFAULT_COLLATION_OID;
 
 		ReleaseTupleDesc(tupdesc);
 	}