CREATE OR REPLACE PROCEDURE proc2_del_rows
(v_tname VARCHAR2,
v_condition VARCHAR2 DEFAULT NULL)
AS
sql_stmt VARCHAR2(500);
where_clause VARCHAR2(200) := 'WHERE'||' '||v_condition;
BEGIN
IF v_condition IS NULL THEN
where_clause := NULL;
END IF;
sql_stmt := 'DELETE FROM :1'||' '||where_clause;
EXECUTE IMMEDIATE sql_stmt USING v_tname;
COMMIT;
END;
/
The table name can't be a bind variable. Do a DBMS_ASSERT on the input table name parameter and make sure it is a valid table name literal, and then directly concatenate it to the delete statement. This will at least protect you against sql injection.
I'd like to know the reason behind doing a delete using a procedure and granting execute on this procedure to individual users, rather than granting a delete on the table to a user directly, which would somewhat be easier to control/restrict. I don't see how this is better in terms on security if that is what you are going for.
CREATE or replace PROCEDURE proc2_del_rows
(v_tname VARCHAR2,
v_condition VARCHAR2 DEFAULT NULL)
AS
sql_stmt VARCHAR2(500);
where_clause VARCHAR2(200) := 'WHERE'||' '||v_condition;
BEGIN
IF v_condition IS NULL THEN
where_clause := NULL;
END IF;
sql_stmt := 'DELETE FROM '||v_tname||' '||where_clause;
EXECUTE IMMEDIATE sql_stmt;
END;
/
To include a single-quote character within a string literal you need to double up the single quotes, as in proc2_del_rows('EMP', 'JOB=''CLERK''').
Documentation here
Related
I need to save a procedure body into a Clob column with a use of variable. String is longer than 4000 characters, so I can't use VarChar2, but with CLOB variable I receive error "ORA-01422: exact fetch returns more than requested number of rows". Same error appears with Varchar2. My PL/SQL block:
DECLARE
txt_procedure CLOB;
BEGIN
SELECT text INTO txt_procedure
FROM all_source
WHERE name = 'My_procedure'
ORDER BY line;
INSERT INTO TABLE1(ID,DATE,CLOB_COLUMN)
VALUES (my_seq.NEXTVAL,'11.10.2018',txt_procedure);
END;
/
How could I insert procedure body into clob column ?
As you will get multiple rows from your query for every line of your source, the following might help:
DECLARE
txt_procedure CLOB;
BEGIN
FOR source_r IN ( SELECT text
FROM all_source
WHERE name = 'My_procedure'
ORDER BY line
)
LOOP
txt_procedure := txt_procedure || chr(10) || source_r.text;
END LOOP;
INSERT INTO TABLE1(ID,DATE,CLOB_COLUMN)
VALUES (my_seq.NEXTVAL,'11.10.2018',txt_procedure);
END;
/
UPDATE
As an alternative, you might also use the DBMS_METADATA package for this:
DECLARE
txt_procedure CLOB;
BEGIN
txt_procedure := DBMS_METADATA.get_ddl(
object_type => 'PROCEDURE',
name => 'My_procedure',
owner => 'YOUR_SCHEMA'
);
INSERT INTO TABLE1(ID,DATE,CLOB_COLUMN)
VALUES (my_seq.NEXTVAL,'11.10.2018',txt_procedure);
END;
/
Im trying to execute below section of code but get an ORA-00904 error.
Declare
i_status varchar2(4) := 'NORM';
vsql varchar2(4000);
...
...
Begin
...
...<Part of larger dynamic sql>
If i_status is not null Then
vSql := vSql || ' And account.astatus = ' ||i_status|| '';
End if;
execute immediate (vSql) into tmp,ssn;
<Do something with tmp, ssn>
End;
An exception is raised at line "execute immediate" with error
ORA-00904 - "NORM": invalid identifier
column account.astatus has type char(4 byte)
I assume the problem is that I am trying to pass string variable NORM in the where clause without adding quotes ' '. How do get around this issue?
Thanks.
You can easily dig into your code and check where the issue exist by printing your VSQL before executing it.
Declare
i_status varchar2(10) := 'NORM';
vsql varchar2(4000):= 'Select * from dual where 1=3';
Begin
If i_status is not null Then
vSql := vSql || ' And account.astatus = ' ||i_status|| '';
End if;
dbms_output.put_line(vSql);
--execute immediate (vSql) into tmp,ssn;
End;
When you run this block you can see the statement that is getting generated which shows :
Select * from dual where 1=3 And account.astatus = NORM
Now you can easily note that your account.astatus = NORM is not correct so you can replace it with:
i_status varchar2(10) := '''NORM''';
or using q quotes:
i_status varchar2(10) := q'['NORM']';
Nevertheless what Boneist mentioned is the best practice which avoids sql injection.
The simple answer is to use bind variables, meaning you avoid the whole thorny issue of sql injection that you open yourself up to when you hardcode your variables into the dynamic sql. You also save yourself the faff of having to work out how to include the single-quotes to go around the string that your dynamic sql is currently missing.
Using bind variables, your code becomes:
Declare
i_status varchar2(4) := 'NORM';
vsql varchar2(4000);
...
...
Begin
...
...<Part of larger dynamic sql>
If i_status is not null Then
vSql := vSql || ' And account.astatus = :i_status';
End if;
execute immediate (vSql) into tmp,ssn using i_status;
<Do something with tmp, ssn>
End;
Can we use the parameters in a pl sql subprogram other than in where clause
Yes. Once you declare the variables in a PLSQL program, you can use it anywhere in the program. See below an example
DECLARE
var VARCHAR2 (100); -- Variable declared
BEGIN
var := 'My name is jack'; -- Assigning a string to the varibale
DBMS_OUTPUT.put_line (var); -- Displaying it.
SELECT 'My name is Mack' INTO var FROM DUAL;
DBMS_OUTPUT.put_line (var);
END;
I hope this helps.
Yes, you surely can.
Create or replace procedure test(a_param_1 in int, a_param_2 out int)
as
v_var int;
begin
dbms_output.put_line(a_param);--you can print the param
v_var := a_param ;-- you can assign it to some other value
a_param_2 := 1; --Out parameter can be assigned a value.
end;
I need to automate the following set of instructions with a pl/sql procedure:
SET DEFINE OFF;
TRUNCATE TABLE EMP.dept;
INSERT INTO EMP.dept values....;
Commit;
Also,I need to log the activity(sucess/failure) into a table EMP.Log.
Can someone help me in this ?
Depending on what the columns are in the EMP.dept table I would use a procedure defined as:
--The parameters to this procedure depend on the fields in EMP.dept
--This example assumes EMP.dept has only 2 VARCHAR fields, but
--the parameter list can easily be modified:
--
CREATE OR REPLACE PROCEDURE PROC_NAME1(INPUT1 IN VARCHAR2, INPUT2 IN VARCHAR2) AS
V_FAILURE INTEGER;
BEGIN
V_FAILURE := 0;
BEGIN
EXECUTE IMMEDIATE 'TRUNCATE TABLE EMP.dept';
INSERT INTO EMP.dept (FIELD1, FIELD2) VALUES (INPUT1, INPUT2);
COMMIT;
EXCEPTION
WHEN OTHERS THEN
V_FAILURE := 1;
ROLLBACK;
END;
BEGIN
--DEPENDING ON THE COLUMNS IN YOUR LOG_TABLE
--
INSERT INTO LOG_TABLE(STATUS, RUN_DATE)
VALUES (V_FAILURE, SYSDATE);
COMMIT;
EXCEPTION
WHEN OTHERS THEN NULL;
END;
END;
DECLARE
TYPE t IS RECORD (
col_name VARCHAR2 (100)
);
t_row t;
cname VARCHAR (100) := 'col_name';
BEGIN
t_row.col_name := 'col';
DBMS_OUTPUT.put_line ('out');
IF t_row.cname IS NULL THEN
DBMS_OUTPUT.put_line ('in');
END IF;
END;
Error at line 1
ORA-06550: line 12, column 12:
PLS-00302: component 'CNAME' must be declared
ORA-06550: line 12, column 3:
PL/SQL: Statement ignored
How can I assign dynamic column name to type variable of record?
You can do that with dynamic sql:
To make the example simpler I'll make your type t a schema object (but basically you don't have to - you can put it in the dynamic part as well)
create or replace type t is object(col_name varchar2(100));
/
Then you can look at this script:
declare
t_row t;
cname varchar2(100) := 'col_name';
begin
t_row := new t('col');
execute immediate 'declare t_in t := :0; begin if t_in.' || cname ||
' is null then dbms_output.put_line(''in''); end if; end;'
using t_row;
end;
Though, I must say, that this is a strange requirement ...
The error is because record t doesn't have a field cname, but col_name:
type t is record (
col_name varchar2(100)
);
One have to know record fields during compile time.
Could tell us what is the real problem you're going to solve ?