[英]How can I pass column and table name as parameters to a SQL stored procedure
CREATE OR REPLACE FUNCTION getIdFromNameParameter
(columnName VARCHAR2, tableName VARCHAR2, whereColumn VARCHAR2, parameterColumn VARCHAR2)
RETURN VARCHAR2
AS
idCatc VARCHAR2(50);
BEGIN
execute immediate 'SELECT ' || columnName || ' INTO ' || idCatc || ' FROM ' || tableName || ' WHERE ' || whereColumn || ' = ' || parameterColumn;
RETURN idCatc;
END;
/
I get this warning: 我收到此警告:
Warning: Function created with compilation errors
警告:函数创建时出现编译错误
For one thing, the into
is part of execute immediate
: 一方面,
into
是execute immediate
一部分:
CREATE OR REPLACE FUNCTION getIdFromNameParameter (
in_columnName VARCHAR2,
in_tableName VARCHAR2,
in_whereColumn VARCHAR2,
in_parameterColumn VARCHAR2)
RETURN VARCHAR2
AS
idCatc VARCHAR2(50);
BEGIN
execute immediate 'SELECT ' || in_columnName || ' FROM ' || in_tableName || ' WHERE ' || in_whereColumn || ' = ' || in_parameterColumn
INTO idCatc;
RETURN idCatc;
END;
You were also using +
for string concatenation. 您还使用
+
进行字符串连接。
If you create a function like this, ensure it's safe from sql injection with something like the following. 如果创建这样的函数,请使用以下类似方法确保它免受sql注入的侵害。 This uses dbms_assert to sanitize the inputs against thing like ';drop table xyz;'
这使用dbms_assert清除输入内容,以防诸如'; drop table xyz;'之类的问题。
CREATE OR REPLACE FUNCTION getidfromnameparameter (
in_columnname VARCHAR2,
in_tablename VARCHAR2,
in_wherecolumn VARCHAR2,
in_parametercolumn VARCHAR2
) RETURN VARCHAR2 AS
idcatc VARCHAR2(50);
BEGIN
EXECUTE IMMEDIATE 'SELECT '
|| sys.dbms_assert.qualified_sql_name(in_columnName)
|| ' FROM '
|| sys.dbms_assert.sql_object_name(in_tableName)
|| ' WHERE '
|| sys.dbms_assert.qualified_sql_name(in_whereColumn)
|| ' = '
|| sys.dbms_assert.enquote_literal(in_parametercolumn)
INTO idcatc;
RETURN idcatc;
END;
/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.