tags:

views:

53

answers:

1
+1  Q: 

Quoting identifiers for dynamic SQL in PL/SQL

Is there a PL/SQL function or general technique to quote unqualified identifiers (e.g., mytable) for use in a dynamically constructed SQL query? How about partially or fully qualified identifiers (a.b@c)?

Consider this contrived example:

CREATE PROCEDURE by_the_numbers(COL_NAME VARCHAR, INTVAL INTEGER) IS
  ...
BEGIN
  -- COL_NAME is interpolated into SQL string
  -- INTVAL gets bound to :1
  stmt := 'SELECT * FROM tbl WHERE ' || COL_NAME || ' = :1';
  ...
END

... where we don't want to permit naive SQL injection in COL_NAME (e.g., a value of '1=1 or 1').

+3  A: 

There is dbms_assert: http://www.oracle-base.com/articles/10g/dbms_assert_10gR2.php for preventing sql injection.

TTT  2010-10-23 09:02:16

related questions

Is there a Way to use Linq to Oracle
NHibernate and Oracle connect through Windows Authenication
Boolean Field in Oracle
How do you manage schema upgrades to a production database?
How do I deal with quotes ' in SQL
When do you use table clusters?
Oracle write to file
MS SQL Server 2008 "linked server" to Oracle : schema not showing
Develop on local Oracle instance
Resources for an Oracle beginner
What strategies have you employed to improve web application performance?
Automate Syncing Oracle Tables With MySQL Tables
Best way to encapsulate complex Oracle PL/SQL cursor logic as a view?
What Content Management does your workplace use?
What is the difference between oracle's 'yy' and 'rr' date mask?
SQL/Query tools?
How to make Pro*C cope with #warning directives?
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How big would such a database be?
Oracle - What TNS Names file am I using?
What is a good way to open large files across a WAN?
How do I find the high water mark (for sessions) on Oracle 9i
SQL Case Statement Syntax?
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?