Oracle 返回具有PL/SQL和变量表名的数据集
我正试图编写一个PL/SQL函数来存储一个带有可变表名的select语句(我知道这有点奇怪,但实际上这是一个很好的设计决策)。下面的代码不起作用……但我不确定如何获取变量表名(生成查询)和返回数据集。有人有这方面的经验吗?蒂亚Oracle 返回具有PL/SQL和变量表名的数据集,oracle,plsql,Oracle,Plsql,我正试图编写一个PL/SQL函数来存储一个带有可变表名的select语句(我知道这有点奇怪,但实际上这是一个很好的设计决策)。下面的代码不起作用……但我不确定如何获取变量表名(生成查询)和返回数据集。有人有这方面的经验吗?蒂亚 CREATE OR REPLACE FUNCTION fn_netstat_all (casename in varchar2) RETURN resultset_subtype IS dataset resultset_subtype; v_sql varc
CREATE OR REPLACE FUNCTION fn_netstat_all (casename in varchar2)
RETURN resultset_subtype
IS
dataset resultset_subtype;
v_sql varchar2(25000);
v_tablename varchar2(50);
begin
v_sql := 'SELECT * FROM ' || casename || '_netstat;';
OPEN dataset FOR
execute immediate v_sql;
return dataset;
end;
如果您的resultset_子类型是ref_游标(或仅用ref_游标替换resultset_子类型),您可以:
CREATE OR REPLACE
FUNCTION fn_netstat_all (
casename IN VARCHAR2
)
RETURN resultset_subtype
IS
dataset resultset_subtype;
BEGIN
OPEN dataset
FOR 'SELECT * FROM ' || casename || '_netstat';
RETURN dataset;
END fn_netstat_all;
FWIW,您可能希望查看DBMS_ASSERT包以包装casename变量,以帮助防止动态SQL中的SQL注入攻击
希望对您有所帮助……下面假设所有表格都相似。也可以选择每个表中相似的列子集,而无需使用。我还注意了Ollie提到的SQL注入
create table so9at (
id number(1),
data varchar2(5)
);
insert into so9at values (1, 'A-AAA');
insert into so9at values (2, 'A-BBB');
insert into so9at values (3, 'A-CCC');
create table so9bt (
id number(1),
data varchar2(5)
);
insert into so9bt values (5, 'B-AAA');
insert into so9bt values (6, 'B-BBB');
insert into so9bt values (7, 'B-CCC');
create table secret_identities (
cover_name varchar2(20),
real_name varchar2(20)
);
insert into secret_identities values ('Batman', 'Bruce Wayne');
insert into secret_identities values ('Superman', 'Clark Kent');
/* This is a semi-secure version immune to certain kind of SQL injections. Note
that it can be still used to find information about any table that ends with
't'. */
create or replace function cursor_of (p_table_id in varchar2)
return sys_refcursor as
v_cur sys_refcursor;
v_stmt constant varchar2(32767) := 'select * from ' || dbms_assert.qualified_sql_name(p_table_id || 't');
begin
open v_cur for v_stmt;
return v_cur;
end;
/
show errors
/* This is an unsecure version vulnerable to SQL injection. */
create or replace function vulnerable_cursor_of (p_table_id in varchar2)
return sys_refcursor as
v_cur sys_refcursor;
v_stmt constant varchar2(32767) := 'select * from ' || p_table_id || 't';
begin
open v_cur for v_stmt;
return v_cur;
end;
/
show errors
create or replace procedure print_values_of (p_cur in sys_refcursor) as
type rec_t is record (
id number,
data varchar2(32767)
);
v_rec rec_t;
begin
fetch p_cur into v_rec;
while p_cur%found loop
dbms_output.put_line('id = ' || v_rec.id || ' data = ' || v_rec.data);
fetch p_cur into v_rec;
end loop;
end;
/
show errors
declare
v_cur sys_refcursor;
begin
v_cur := cursor_of('so9a');
print_values_of(v_cur);
close v_cur;
v_cur := cursor_of('so9b');
print_values_of(v_cur);
close v_cur;
/* SQL injection vulnerability */
v_cur := vulnerable_cursor_of('secret_identities --');
dbms_output.put_line('Now we have a cursor that reveals all secret identities. Just see DBMS_SQL.DESCRIBE_COLUMNS ...');
close v_cur;
/* SQL injection made (mostly) harmless - will throw ORA-44004: invalid qualified SQL name */
v_cur := cursor_of('secret_identities --');
close v_cur;
end;
/
所有的表结构都相同吗?如果它们不是,您就不能使用(这就是您在上面使用的),但必须依赖PL/SQL包。Ollie,该函数不起作用。这给了我一个行中无效的字符错误:打开“SELECT*FROM”| | | | | | | netstat;”的数据集@你有额外的分号(;)。正确的格式是
“SELECT*FROM'| | | | | | |'| netstat'代码>