• <small id='s996u'></small><noframes id='s996u'>

      <bdo id='s996u'></bdo><ul id='s996u'></ul>

        <tfoot id='s996u'></tfoot>
      1. <i id='s996u'><tr id='s996u'><dt id='s996u'><q id='s996u'><span id='s996u'><b id='s996u'><form id='s996u'><ins id='s996u'></ins><ul id='s996u'></ul><sub id='s996u'></sub></form><legend id='s996u'></legend><bdo id='s996u'><pre id='s996u'><center id='s996u'></center></pre></bdo></b><th id='s996u'></th></span></q></dt></tr></i><div id='s996u'><tfoot id='s996u'></tfoot><dl id='s996u'><fieldset id='s996u'></fieldset></dl></div>
        <legend id='s996u'><style id='s996u'><dir id='s996u'><q id='s996u'></q></dir></style></legend>

        是否可以在 Oracle 中将表名作为参数传递?

        Is it possible to pass table name as a parameter in Oracle?(是否可以在 Oracle 中将表名作为参数传递?)

        1. <small id='nEuu3'></small><noframes id='nEuu3'>

            <i id='nEuu3'><tr id='nEuu3'><dt id='nEuu3'><q id='nEuu3'><span id='nEuu3'><b id='nEuu3'><form id='nEuu3'><ins id='nEuu3'></ins><ul id='nEuu3'></ul><sub id='nEuu3'></sub></form><legend id='nEuu3'></legend><bdo id='nEuu3'><pre id='nEuu3'><center id='nEuu3'></center></pre></bdo></b><th id='nEuu3'></th></span></q></dt></tr></i><div id='nEuu3'><tfoot id='nEuu3'></tfoot><dl id='nEuu3'><fieldset id='nEuu3'></fieldset></dl></div>
              <tbody id='nEuu3'></tbody>

              <tfoot id='nEuu3'></tfoot>

                <bdo id='nEuu3'></bdo><ul id='nEuu3'></ul>
                  <legend id='nEuu3'><style id='nEuu3'><dir id='nEuu3'><q id='nEuu3'></q></dir></style></legend>
                  本文介绍了是否可以在 Oracle 中将表名作为参数传递?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                  问题描述

                  我想创建一个这样的存储过程:

                  I want to create a stored procedure like this:

                  PROCEDURE P_CUSTOMER_UPDATE
                    (
                        pADSLTable IN Table,
                        pAccountname IN NVARCHAR2,
                        pStatus IN NUMBER,
                        pNote IN NVARCHAR2,
                        pEmail IN NVARCHAR2,
                        pMobi IN NVARCHAR2,
                        pServiceTypeID IN NUMBER,
                        pDate IN DATE
                    )
                    IS
                    BEGIN
                        UPDATE pADSLTable
                        SET STATUS = pStatus, NOTE = pNote, EMAIL = pEmail, MOBI = pMobi, SERVICETYPE_ID = pServiceTypeID, ACTIVATION_DATE = pDate
                        WHERE ACCOUNT_NAME = pAccountname;
                    END;
                  

                  当然,Oracle 不允许我这样做.有没有办法解决这个问题?非常感谢.

                  Of course, Oracle does not let me do that. Is there a way to work around this problem? Thank you very much.

                  推荐答案

                  您有几个具有完全相同的列名和数据类型的不同表?闻起来像一个狡猾的设计.

                  You have several different tables with exactly the same column names and data types? Smells like a dodgy design.

                  无论如何,我们不能像这样在简单的 SQL 中使用变量作为数据库对象.我们必须使用动态 SQL.

                  Anyway, we cannot use variables as database objects in straightforward SQL like that. We have to use dynamic SQL.

                  PROCEDURE P_CUSTOMER_UPDATE
                    (
                        pADSLTable IN USER_TABLES.table_name%type,
                        pAccountname IN NVARCHAR2,
                        pStatus IN NUMBER,
                        pNote IN NVARCHAR2,
                        pEmail IN NVARCHAR2,
                        pMobi IN NVARCHAR2,
                        pServiceTypeID IN NUMBER,
                        pDate IN DATE
                    )
                    IS
                    BEGIN
                        execute immediate 
                            'UPDATE '||pADSLTable
                            ||' SET STATUS = :1, NOTE = :2, EMAIL = :3, MOBI = :4, SERVICETYPE_ID = :5, ACTIVATION_DATE = :6'
                            ||' WHERE ACCOUNT_NAME = :7'
                        using pStatus, pNote, pEmail, pMobi, pServiceTypeID, pDate, pAccountname;
                    END;
                  

                  避免使用动态 SQL 的一个原因是它容易被滥用.恶意人员可以使用这些参数来试图绕过我们的安全措施.这称为 SQL 注入.我认为人们高估了 SQL 注入的重要性.它不会自动构成威胁.例如,如果该过程是包中的私有过程(即未在规范中声明),那么任何人都不太可能劫持它.

                  One reason to avoid the use of dynamic SQL is that it is open to abuse. Malicious people can use the parameters to attempt to bypass our security. This is called SQL injection. I think people over estimate the significance of SQL injection. It's not automatically a threat. For instance if the procedure is a private procedure in a package (i.e. not declared in the specification) it is unlikely that anybody will hijack it.

                  但采取预防措施是明智的.DBMS_ASSERT 是 Oracle 10g 中引入的用于捕获 SQL 注入攻击的包.在这种情况下,值得使用它来验证传递的表名

                  But it is sensible to take precautions. DBMS_ASSERT is a package introduced in Oracle 10g to trap attempted SQL injection attacks. It this case it would be worth using it to validate the passed table name

                  ....
                  'UPDATE '|| DBMS_ASSERT.simple_sql_name(pADSLTable)
                  ....  
                  

                  这会阻止任何人将 'pay_table set salary = salary * 10 where id = 1234 --' 作为表名参数传递.

                  This would prevent anybody passing 'pay_table set salary = salary * 10 where id = 1234 --' as the table name parameter.

                  避免使用动态 SQL 的另一个原因是更难获得正确和更难调试.实际语句的语法仅在运行时检查.最好有一套完整的单元测试来验证所有传递的输入,以确保过程不会抛出语法异常.

                  Another reason to avoid dynamic SQL is that it is harder to get right and harder to debug. The syntax of the actual statement is only checked at run time. It is good to have a complete suite of unit tests which validate all the passed inputs, to ensure that the procedure doesn't hurl a syntax exception.

                  最后,这样的动态 SQL 不会出现在诸如 ALL_DEPENDENCIES 之类的视图中.这使得进行影响分析和定位使用给定表或列的所有程序变得更加困难.

                  Finally, such dynamic SQL doesn't show up in views such as ALL_DEPENDENCIES. This makes it harder to undertake impact analysis and locate all the programs which use a given table or column.

                  这篇关于是否可以在 Oracle 中将表名作为参数传递?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                  本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

                  相关文档推荐

                  Accessing another user#39;s table within an Oracle Stored Procedure(在 Oracle 存储过程中访问另一个用户的表)
                  Maximum stored procedure, function, trigger, or view nesting level exceeded (limit 32)(超出最大存储过程、函数、触发器或视图嵌套级别(限制 32))
                  How to View Oracle Stored Procedure using SQLPlus?(如何使用 SQLPlus 查看 Oracle 存储过程?)
                  How to debug stored procedure in VS 2015?(如何在 VS 2015 中调试存储过程?)
                  How to Pass Java List of Objects to Oracle Stored Procedure Using MyBatis?(如何使用 MyBatis 将 Java 对象列表传递给 Oracle 存储过程?)
                  Set the variable result, from query(设置变量结果,来自查询)
                  <tfoot id='7KZsA'></tfoot>
                • <small id='7KZsA'></small><noframes id='7KZsA'>

                  <i id='7KZsA'><tr id='7KZsA'><dt id='7KZsA'><q id='7KZsA'><span id='7KZsA'><b id='7KZsA'><form id='7KZsA'><ins id='7KZsA'></ins><ul id='7KZsA'></ul><sub id='7KZsA'></sub></form><legend id='7KZsA'></legend><bdo id='7KZsA'><pre id='7KZsA'><center id='7KZsA'></center></pre></bdo></b><th id='7KZsA'></th></span></q></dt></tr></i><div id='7KZsA'><tfoot id='7KZsA'></tfoot><dl id='7KZsA'><fieldset id='7KZsA'></fieldset></dl></div>
                  1. <legend id='7KZsA'><style id='7KZsA'><dir id='7KZsA'><q id='7KZsA'></q></dir></style></legend>
                      <tbody id='7KZsA'></tbody>
                    • <bdo id='7KZsA'></bdo><ul id='7KZsA'></ul>