stackoom
  简体   繁体   中英

How can I pass column and table name as parameters to a SQL stored procedure

 原文  2018-02-04 17:40:43       sql/ oracle/ plsql

Question

CREATE OR REPLACE FUNCTION getIdFromNameParameter 
    (columnName VARCHAR2, tableName VARCHAR2, whereColumn VARCHAR2, parameterColumn VARCHAR2)
RETURN VARCHAR2
AS
    idCatc VARCHAR2(50);
BEGIN
    execute immediate 'SELECT ' || columnName || ' INTO ' || idCatc || ' FROM ' || tableName || ' WHERE ' || whereColumn || ' = ' ||  parameterColumn;
    RETURN idCatc;
END;
/

I get this warning:

Warning: Function created with compilation errors

2 answers

solution1
 3  2018-02-04 17:44:29

For one thing, the into is part of execute immediate : 

CREATE OR REPLACE FUNCTION getIdFromNameParameter (
    in_columnName VARCHAR2,
    in_tableName VARCHAR2,
    in_whereColumn VARCHAR2,
    in_parameterColumn VARCHAR2)
RETURN VARCHAR2
AS
    idCatc VARCHAR2(50);
BEGIN
    execute immediate 'SELECT ' || in_columnName || ' FROM ' || in_tableName || ' WHERE ' || in_whereColumn || ' = ' ||  in_parameterColumn
    INTO idCatc;
    RETURN idCatc;
END;

You were also using + for string concatenation.

solution2
 1 ACCPTED  2018-02-04 20:47:36

If you create a function like this, ensure it's safe from sql injection with something like the following. This uses dbms_assert to sanitize the inputs against thing like ';drop table xyz;' 

 CREATE OR REPLACE FUNCTION getidfromnameparameter (
        in_columnname        VARCHAR2,
        in_tablename         VARCHAR2,
        in_wherecolumn       VARCHAR2,
        in_parametercolumn   VARCHAR2
    ) RETURN VARCHAR2 AS
        idcatc   VARCHAR2(50);
    BEGIN
        EXECUTE IMMEDIATE 'SELECT '
                         || sys.dbms_assert.qualified_sql_name(in_columnName)
                         || ' FROM '
                         || sys.dbms_assert.sql_object_name(in_tableName)
                         || ' WHERE '
                         || sys.dbms_assert.qualified_sql_name(in_whereColumn)
                         || ' = '
                         || sys.dbms_assert.enquote_literal(in_parametercolumn)
       INTO idcatc;

       RETURN idcatc;
  END;
  /

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can I pass column name as input parameter in SQL stored Procedure SQL - stored procedure, pass field and table name parameters on execute How to pass column name as well as Table Name to a stored procedure as a parameter in SQL Server? Can I pass column name as input parameter in SQL update in stored procedure How to pass column name as parameter in a Stored Procedure in PL/SQL? SQL Pass a string to a Stored Procedure that is not a Column Name SQL LOOP Pass values from Temp Table as parameters to stored procedure In a PL/SQL procedure, how do I pass a table name as a parameter? Passing table name and column name dynamically to PL/SQL Stored procedure How to pass each value of the column from a table to a stored procedure and save the result in a table in SQL-Server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM