A recent tweet pointed me to safeupdate which is a little extension that forbids unconditional UPDATE and DELETE statements, i.e. without WHERE clause.
Let's see how this works...
The build and install procedure is pretty non-spectacular: make, make install and then either activate it per session with load 'safeupdate' or globally by adding it to postgresql.conf:
shared_preload_libraries = 'safeupdate'
After that, if you try an unconditional UPDATE or DELETE on any table, you'll get the following errors:
ERROR: UPDATE requires a WHERE clause
and
ERROR: DELETE requires a WHERE clause
respectively and the operation is cancelled.
Unconditional UPDATE and DELETE can still be forced by using a condition that always evaluates to true, like
WHERE TRUE or WHERE 1=1
But now you have to explicitly request this behaviour.
I think this is ever so useful to protect against human error, that I wonder why this isn't something mandatory, even if it's non-standard.
However, there is one glitch: If you JOIN tables to UPDATE or DELETE only certain rows that match the ON condition, this is not recognized as a conditional operation and the WHERE TRUE is still needed to pacify the extension. Well, I can live with that...