清理作为动态PL / SQL命令一部分的用户输入

时间:2012-10-12 12:02:17

标签: plsql user-input dynamic-sql sanitization in-operator


我有一个由用户填充的表,其VARCHAR2记录包含可执行PL / SQL代码“IN(user_input)”的一部分。我想知道如何清理这些用户输入或者重新调整它以提高效率。到目前为止我的所有想法都失败例如:

  • 在这种情况下不接受Bind变量
  • DBMS_ASSERT.enquote_literal总是引发异常等。

非常感谢您的帮助。

/* A "MY_PARAMETER" column is part of SQL: ...WHERE MY_DATA IN(MY_PARAMETER)... */
CREATE TABLE my_parameter_table (
       "ID" INTEGER NOT NULL ENABLE,
       "MY_PARAMETER" VARCHAR(255) NOT NULL ENABLE   
)

INSERT INTO my_parameter_table ("ID","MY_PARAMETER") VALUES (1,'6,7,8');
INSERT INTO my_parameter_table ("ID","MY_PARAMETER") VALUES (2,'''b'',''g'',''k''');
INSERT INTO my_parameter_table ("ID","MY_PARAMETER") VALUES (3,'SELECT dummy FROM dual'); -- return "X"

/* Tested table with data */
CREATE TABLE my_data_table (
       "ID" INTEGER NOT NULL ENABLE,
       "MY_DATA" VARCHAR(255) NOT NULL ENABLE,
       "MY_RESULT" VARCHAR(255) NOT NULL ENABLE   
);

INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (1,'a','NOT');
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (2,'b','THIS'); --WILL PASS
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (3,'c','NOT');
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (4,'X','IS'); --WILL PASS
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (5,'Y','NOT');
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (6,'Z','CORRECT'); --WILL PASS

/* Result table where results are inserted */
CREATE TABLE my_result_table (
       "MESSAGE" VARCHAR(255) NOT NULL ENABLE   
);

/* ------------------------------------------- */

DECLARE
    where_condition VARCHAR2(1000) := '';
    v_query VARCHAR2(1000) := '';
    insert_or VARCHAR2(5) := '';

    CURSOR test_parameter_cur IS
        (
          SELECT * FROM my_parameter_table            
        );
    test_parameter_rec test_parameter_cur%ROWTYPE;

BEGIN

    /* Read all parameters and build an WHERE condition */
    OPEN test_parameter_cur;
    LOOP 
        FETCH test_parameter_cur INTO test_parameter_rec; 
        EXIT WHEN test_parameter_cur%NOTFOUND;

        /* Condition check can be any type. Varchar, number, date or some subselect */
        IF test_parameter_rec.ID = 1 THEN where_condition := where_condition || insert_or || 'd.ID IN('|| test_parameter_rec.MY_PARAMETER ||')';
        ELSE where_condition := where_condition || insert_or || 'd.MY_DATA IN('|| test_parameter_rec.MY_PARAMETER ||')';
        END IF;
        insert_or := ' OR '; -- after first run the "OR" operator is inserted in front of each where condition 

    END LOOP; 
    CLOSE test_parameter_cur; 

v_query := 'INSERT INTO my_result_table(MESSAGE) 
           (SELECT d.MY_RESULT FROM my_data_table d
           WHERE '|| where_condition ||')';

EXECUTE IMMEDIATE v_query;
COMMIT; 
END;

/* Now the my_result_table contains 3 records: THIS, IS, CORRECT */
SELECT * FROM my_result_table;

DROP TABLE my_parameter_table; 
DROP TABLE my_data_table;

1 个答案:

答案 0 :(得分:0)

看看这里:https://blogs.oracle.com/aramamoo/entry/how_to_split_comma_separated_string_and_pass_to_in_clause_of_select_statement

像','的魅力一样 - 分隔列表。我建议TRIM()结果从结果中删除尾随和前导空格。

您可以将select语句用作子句中的子选择。

相关问题
最新问题