我有一个由用户填写的表,其 VARCHAR2 记录包含可执行 PL/SQL 代码“IN(user_input)”的一部分。我想知道如何清理这些用户输入或者重新编写以提高效率。到目前为止,我所有的想法都失败了。例如:
- 在这种情况下不接受绑定(bind)变量
- DBMS_ASSERT.enquote_literal 总是引发异常等。
非常感谢您的帮助。
/* A "MY_PARAMETER" column is part of SQL: ...WHERE MY_DATA IN(MY_PARAMETER)... */
CREATE TABLE my_parameter_table (
"ID" INTEGER NOT NULL ENABLE,
"MY_PARAMETER" VARCHAR(255) NOT NULL ENABLE
)
INSERT INTO my_parameter_table ("ID","MY_PARAMETER") VALUES (1,'6,7,8');
INSERT INTO my_parameter_table ("ID","MY_PARAMETER") VALUES (2,'''b'',''g'',''k''');
INSERT INTO my_parameter_table ("ID","MY_PARAMETER") VALUES (3,'SELECT dummy FROM dual'); -- return "X"
/* Tested table with data */
CREATE TABLE my_data_table (
"ID" INTEGER NOT NULL ENABLE,
"MY_DATA" VARCHAR(255) NOT NULL ENABLE,
"MY_RESULT" VARCHAR(255) NOT NULL ENABLE
);
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (1,'a','NOT');
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (2,'b','THIS'); --WILL PASS
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (3,'c','NOT');
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (4,'X','IS'); --WILL PASS
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (5,'Y','NOT');
INSERT INTO my_data_table ("ID","MY_DATA","MY_RESULT") VALUES (6,'Z','CORRECT'); --WILL PASS
/* Result table where results are inserted */
CREATE TABLE my_result_table (
"MESSAGE" VARCHAR(255) NOT NULL ENABLE
);
/* ------------------------------------------- */
DECLARE
where_condition VARCHAR2(1000) := '';
v_query VARCHAR2(1000) := '';
insert_or VARCHAR2(5) := '';
CURSOR test_parameter_cur IS
(
SELECT * FROM my_parameter_table
);
test_parameter_rec test_parameter_cur%ROWTYPE;
BEGIN
/* Read all parameters and build an WHERE condition */
OPEN test_parameter_cur;
LOOP
FETCH test_parameter_cur INTO test_parameter_rec;
EXIT WHEN test_parameter_cur%NOTFOUND;
/* Condition check can be any type. Varchar, number, date or some subselect */
IF test_parameter_rec.ID = 1 THEN where_condition := where_condition || insert_or || 'd.ID IN('|| test_parameter_rec.MY_PARAMETER ||')';
ELSE where_condition := where_condition || insert_or || 'd.MY_DATA IN('|| test_parameter_rec.MY_PARAMETER ||')';
END IF;
insert_or := ' OR '; -- after first run the "OR" operator is inserted in front of each where condition
END LOOP;
CLOSE test_parameter_cur;
v_query := 'INSERT INTO my_result_table(MESSAGE)
(SELECT d.MY_RESULT FROM my_data_table d
WHERE '|| where_condition ||')';
EXECUTE IMMEDIATE v_query;
COMMIT;
END;
/* Now the my_result_table contains 3 records: THIS, IS, CORRECT */
SELECT * FROM my_result_table;
DROP TABLE my_parameter_table;
DROP TABLE my_data_table;
最佳答案
像 ',' 的魅力一样工作 - 分隔列表。我建议对结果进行 TRIM() 以从结果中删除尾随和前导空白。
您可以将 select 语句用作子句中的子选择。
关于plsql - 清理作为动态 PL/SQL 命令一部分的用户输入,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12858638/