1

The stored procedures being written here currently concats the parameters to the queries:

   SELECT * 
     FROM Names 
    WHERE Name = ' || prmName || ' 
 ORDER BY ' || prmSortField

Is it possible to parameterize this query inside the stored procedure? Possibly like:

query = 'select * From Names Where Name = @name Order By ' || prmSortField
call(query, prmName)

Note:
In case you wonder why we do so, there are two common parameters for our sp's: sortFieldIndex and sortDirection. Since we cannot directly parameterize these, the query is dynamically generated. But other parameters make the queries open for injection. So I am looking a way to parameterize some of the parameters.

Improve this question

3 Answers 3

Reset to default
4

Absolutely. Use cursors.

DECLARE
  CURSOR c1 (job VARCHAR2, max_wage NUMBER) IS
    SELECT * FROM employees WHERE job_id = job AND salary > max_wage;
BEGIN
  FOR person IN c1('CLERK', 3000)
  LOOP
     -- process data record
    DBMS_OUTPUT.PUT_LINE('Name = ' || person.last_name || ', salary = ' ||
                         person.salary || ', Job Id = ' || person.job_id );
  END LOOP;
END;
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

What about the OP's prmSortField variable? How can you parameterize the ordering field without dynamic queries?
4

For a dynamic query with bind values, do this:

procedure p (prmName varchar2, prmSortField varchar2)
is
    query varchar2(100);
    rc sys_refcursor;
    names_rec names%rowtype;
begin
    query = 'select * From Names Where Name = :name Order By ' || prmSortField
    open rc for query using prmName;
    loop
        fetch rc into names_rec;
        exit when rc%notfound;
        -- process this row
    end loop;
    close rc;
end;
Improve this answer

Comments

-1

For a more elaborate procedure that supports optional parameter values (but uses sys context), check out the following post on Asktom.com

PRATTY -- Thanks for the question regarding 'CURSOR'...

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.