是否可以使用 DBD::Oracle 在单个查询中执行多个语句？

发布于 2024-07-22 20:40:50 字数 1357 浏览 12 评论 0原文

我想知道是否可以在单个 中执行多个 SQL 语句执行（）或do() 使用 DBD::Oracle 进行调用Perl DBI。示例：

# Multiple SQL statements in a single query, separated by a ";"
$sql = 'UPDATE foo SET bar = 123; DELETE FROM foo WHERE baz = 456';

$sth = $dbh->prepare($sql);
$sth->execute;

# ...or...

$dbh->do($sql);

我问这个问题并不是因为我想实际做这样的事情，而是因为我想衡量成功的 SQL 注入攻击可能造成的损害。是的，我知道，无论这个问题的答案如何，仍然必须使用绑定值和可信输入等从根本上消除 SQL 注入的可能性。但问题仍然存在：是否有可能使 DBD::Oracle 执行多个语句？

作为相关示例， DBD::mysql 有mysql_multi_statements 明确启用此“功能”的连接选项。我无法摆脱这样的感觉，即存在一些类似的、可能未记录的、晦涩难懂的 Oracle OCI 选项，可以通过 DBD::Oracle 以某种方式访问它，从而实现相同的功能。

如果重要的话，这是：

perl 5.8.8
DBD::Oracle 1.22
Oracle 11g (11.01.0700)

原文

I'd like to know if it's possible to execute more than one SQL statement within a single execute() or do() call using DBD::Oracle via Perl DBI. Example:

# Multiple SQL statements in a single query, separated by a ";"
$sql = 'UPDATE foo SET bar = 123; DELETE FROM foo WHERE baz = 456';

$sth = $dbh->prepare($sql);
$sth->execute;

# ...or...

$dbh->do($sql);

I ask this not because I want to actually do such a thing, but rather because I want to gauge the damage possible through a successful SQL injection attack. And yes, I know that, regardless of the answer to this question, the possibility of SQL injection must still be eliminated at its root using bind values and trusted input only, etc. But the question still stands: is it possible to make DBD::Oracle execute multiple statements?

As a related example, DBD::mysql has a mysql_multi_statements connection option that explicitly enables this "feature." I can't shake the feeling that there's some similar, perhaps undocumented and obscure Oracle OCI option that's accessible somehow via DBD::Oracle that will enable the same thing.

In case it matters, this is: