在 PL/SQL 中引用动态 SQL 的标识符
是否有 PL/SQL 函数或一般技术来引用非限定标识符(例如,mytable)以在动态构造的 SQL 查询中使用?部分或完全限定标识符 (ab@c) 怎么样?
考虑这个人为的示例:
CREATE PROCEDURE by_the_numbers(COL_NAME VARCHAR, INTVAL INTEGER) IS
...
BEGIN
-- COL_NAME is interpolated into SQL string
-- INTVAL gets bound to :1
stmt := 'SELECT * FROM tbl WHERE ' || COL_NAME || ' = :1';
...
END
...我们不想允许在 COL_NAME 中进行简单的 SQL 注入(例如,值“1=1 或 1”)。
Is there a PL/SQL function or general technique to quote unqualified identifiers (e.g., mytable) for use in a dynamically constructed SQL query? How about partially or fully qualified identifiers (a.b@c)?
Consider this contrived example:
CREATE PROCEDURE by_the_numbers(COL_NAME VARCHAR, INTVAL INTEGER) IS
...
BEGIN
-- COL_NAME is interpolated into SQL string
-- INTVAL gets bound to :1
stmt := 'SELECT * FROM tbl WHERE ' || COL_NAME || ' = :1';
...
END
... where we don't want to permit naive SQL injection in COL_NAME (e.g., a value of '1=1 or 1').
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
有dbms_assert: http://www.oracle-base.com/articles/10g /dbms_assert_10gR2.php 用于防止sql注入。
There is dbms_assert: http://www.oracle-base.com/articles/10g/dbms_assert_10gR2.php for preventing sql injection.