将参数绑定到 Oracle 动态 SQL [英] Binding Parameters to Oracle Dynamic SQL

问题描述

我有一个接受多个参数的存储过程(即 pName、pHeight、pTeam)

I have a stored procedure that accepts multiple parameters (i.e. pName, pHeight, pTeam)

我的查询是这样构建的:

I have the query built up like this:

SQLQuery VARCHAR2(6000);
TestCursor T_CURSOR;

SQLQuery := 'SELECT ID, Name, Height, Team FROM MyTable WHERE ID IS NOT NULL ';


-- Build the query based on the parameters passed.
IF pName IS NOT NULL
  SQLQuery := SQLQuery || 'AND Name LIKE :pName ';
END IF;

IF pHeight IS > 0
  SQLQuery := SQLQuery || 'AND Height = :pHeight ';
END IF;

IF pTeam IS NOT NULL
  SQLQuery := SQLQuery || 'AND Team LIKE :pTeam ';
END IF;


OPEN TestCursor FOR SQLQuery USING pName, pHeight, pTeam;

如果我执行传递所有参数的过程，它运行正常.

If I execute the procedure passing all parameters, it runs properly.

但是如果我只传递一两个参数，那么程序就会出错:

But if I only passed one or two of the parameters, then the procedure errors out:

ORA-01006: bind variable does not exist

如何根据参数值的使用位置有选择地将变量与参数绑定?例如，如果只传递了 pName，那么我只会执行查询:

How do I selectively bind the variable with the parameters based on where the parameter value was used? For example, if only pName was passed, then I would only execute the query:

OPEN TestCursor FOR SQLQuery USING pName;

或者如果 pName 和 pTeam 都被传递，则:

Or if both pName and pTeam was passed, then:

OPEN TestCursor FOR SQLQuery USING pName, pTeam;

希望有人可以摆脱更多方法来解决这个问题.谢谢.

Hope someone can shed more ways to resolve this. Thanks.

我实际上可以使用以下内容:

I could actually use the following:

-- 根据传递的参数构建查询.如果 pName 不为空SQLQuery := SQLQuery ||'AND 名字 LIKE ''' ||名称 ||''' ';如果结束;

-- Build the query based on the parameters passed. IF pName IS NOT NULL SQLQuery := SQLQuery || 'AND Name LIKE ''' || pName || ''' '; END IF;

IF pHeight IS > 0
  SQLQuery := SQLQuery || 'AND Height = pHeight ';
END IF;

IF pTeam IS NOT NULL
  SQLQuery := SQLQuery || 'AND Team LIKE ''' || pTeam || ''' ';
END IF;


OPEN TestCursor FOR SQLQuery;

但这很容易受到 SQL 注入的攻击...

But this would be VERY vulnerable to SQL Injection...

推荐答案

这不是非常优雅，但这意味着您始终可以提供所有三个绑定变量，即使其中一些为空.如果需要，您只需添加额外的 WHERE 子句.

This is not hugely elegant but it would mean that you could always supply all three bind variables even if some of them are null. You only add the extra WHERE clauses if needed.

(我尝试格式化动态 SQL 以使其更具可读性，您可以将其作为一个长字符串提供).

(I've tried to format the dynamic SQL to make it more readable, you could just supply it as one long string).

FUNCTION myFunc (
   pName   IN VARCHAR2,
   pHeight IN VARCHAR2,
   pTeam   IN VARCHAR2
)
   RETURN T_CURSOR
IS
   -- Local Variables
   SQLQuery   VARCHAR2(6000);
   TestCursor T_CURSOR;
BEGIN
   -- Build SQL query
   SQLQuery := 'WITH t_binds '||
                ' AS (SELECT :v_name AS bv_name, '||
                           ' :v_height AS bv_height, '||
                           ' :v_team AS bv_team '||
                      ' FROM dual) '||
               ' SELECT id, '||
                      ' name, '||
                      ' height, '||
                      ' team '||
                 ' FROM MyTable, '||
                      ' t_binds '||
                ' WHERE id IS NOT NULL';

   -- Build the query WHERE clause based on the parameters passed.
   IF pName IS NOT NULL
   THEN
     SQLQuery := SQLQuery || ' AND Name LIKE bv_name ';
   END IF;

   IF pHeight > 0
   THEN
     SQLQuery := SQLQuery || ' AND Height = bv_height ';
   END IF;

   IF pTeam IS NOT NULL
   THEN
     SQLQuery := SQLQuery || ' AND Team LIKE bv_team ';
   END IF;

   OPEN TestCursor 
    FOR SQLQuery 
  USING pName, 
        pHeight, 
        pTeam;

   -- Return the cursor
   RETURN TestCursor;
END myFunc;

我不在具有数据库访问权限的工作站前，所以我无法测试该功能，但它应该很接近(请原谅任何语法错误，这是漫长的一天！)

I'm not in front of a workstation with DB access so I can't test the function but it should be close (please forgive any syntax errors, it's been a long day!)

希望能帮到你...

这篇关于将参数绑定到 Oracle 动态 SQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！