我遇到了提供不同值的转义字符。请帮我解决这个问题。请帮助我,为什么同样的查询会给出不同的结果。
查询:
SELECT * FROM APP_REALM_ENTRIES WHERE ID IN (SELECT ID FROM APP_ENTRIES where APP_EXT_CODE ='TTL1' AND VERSION_NUMBER='1.0.1');
结果 :单行结果
SQL阻止:
declare
appcode varchar2(20);
version_number varchar2(20);
type rc is ref cursor;
table_cursor rc;
rec_table REALM_ENTRIES%ROWTYPE;
begin
appcode := 'TTL1';
version_number := '1.0.1';
open table_cursor for 'SELECT * FROM REALM_ENTRIES WHERE ID IN (SELECT ID FROM APP_ENTRIES where APP_EXT_CODE ='''||appcode||''||'AND VERSION_NUMBER='||version_number||''')';
LOOP
FETCH table_cursor INTO rec_table;
DBMS_OUTPUT.PUT_LINE('ROWCOUNT ' || table_cursor%ROWCOUNT );
EXIT WHEN table_cursor%NOTFOUND;
END LOOP;
CLOSE table_cursor;
end;
结果: ROWCOUNT 0
答案 0 :(得分:1)
通过使用这个非常简化的隐式游标for循环(文档:Query Result Set Processing With Cursor FOR LOOP Statements),您可以避免与动态SQL和显式游标操作相关的所有麻烦:
for rec in (
SELECT *
FROM APP_REALM_ENTRIES
WHERE ID IN (SELECT ID
FROM APP_ENTRIES
where APP_EXT_CODE = appcode
AND VERSION_NUMBER= version_number)
) loop
-- read values from 'rec' object.
end loop;
但是对于它的价值,你并没有正确地加倍你的单引号。例子:
||''|| -- this is appending NULL, not a single quote.
您可能打算这样做:
||''''|| -- this appends 1 single quote.
也...
'AND VERSION_NUMBER='||version_number -- this is not adding a single quote before appending the version_number value.
您可能打算这样做:
'AND VERSION_NUMBER='''||version_number
答案 1 :(得分:1)
正如Justin建议使用绑定变量。通过这样做,您将实现两件事,您不必担心引用数量正确,更重要的是,您将关闭SQL注入漏洞的大门。您可以通过将open语句更改为以下内容来完成此操作:
open table_cursor for 'SELECT * FROM REALM_ENTRIES WHERE ID IN (SELECT ID FROM APP_ENTRIES where APP_EXT_CODE =:appcode AND VERSION_NUMBER=:version_number)'
using appcode, version_number;
答案 2 :(得分:1)
Oracle Quotes in String使转义'更容易;
q'{query with "'" }'
现在你可以写;
open table_cursor for q'{
SELECT * FROM APP_REALM_ENTRIES
WHERE ID IN (
SELECT ID FROM APP_ENTRIES where
APP_EXT_CODE ='TTL1' AND VERSION_NUMBER='1.0.1')}';