in Oracle, is it possible to have a dynamic number of bind variables in a EXECUTE IMMEDIATE dynamic SQL?
For example, in a given situation i might want to do something like:
execute immediate stmt using lv_name;
But, assuming that stmt is some string that i fetch from some configuration table, one day i might add an additional parameter and would have to recompile the PL/SQL unit to add another parameter, like:
execute immediate stmt using lv_name, lv_age;
...
is it possible in some way to do something like
execute immediate stmt using array_params[] ?
where array params is an array or some sort of structure in PL/SQL that i can handle dynamically? Or receive as a varchar2 parameter and split in some way into an array of tokens?
Thanks!
Related
I am using the Snowflake SQL API to execute a script block with a single binding parameter.
Currently, the API requests uses two statements: The first sets a session variable and the second executes the script block referencing the session variable.
Using the session variable seems hacky, but when I send only one statement and try to use the binding parameter in the body I get the following error:
SQL compilation error: error line 2 at position 11\n Unexpected unnamed bind in SQL stored procedure.
Below is a simplified example of what works:
set code = ?; -- using a session variable was the only way to get a binding parameter.
begin
return $code;
end;
This is a simplified example of what I would like to work, but results in the error:
begin
return ?;
end;
I am 100% positive my request body is formatted correctly. I have tried mixing up named parameters with anonymous ones and using execute immediate. There's part of me that thinks execute immediate is promising because of the using parameter, but I couldn't figure out the syntax.
I'm having problems when executing this code in oracle apex:
VARIABLE b_var NUMBER(20);
BEGIN
:b_var := 100;
END;
PRINT b_var;
what I am trying to do is initialize a value to a bind variable then display it to the console.
But it always asks me to input a value which is not my expected result.
These are 2 questions mixed into 1.
How to use a bind variable in APEX sql workshop.
Note that the sql workshop is NOT sqlplus. It is a web interface that executes individual statements. To get a bind variable there is no need to define it like in sqlplus. Just put it in your anonymous pl/sql block like this. Note that in your sample code you're not using bind variables correctly. The bind variable references a variable value - not the actual variable.
How to print output in the workshop.
The command "PRINT" is a sqlplus command - that won't work. Use dbms_output.put_line instead.
Putting it all together gives:
DECLARE
l_var VARCHAR2(100);
BEGIN
l_var := :b_var;
dbms_output.put_line(l_var);
END;
/
I am trying to build a scenario that would allow me to expose additional data from a server (for case-demo purposes). The server calls a vulnerable SQL code:
EXEC my_storeProc '12345'
where "12345" (not the single quotes) is the parameter. This performs a SELECT statement. I would like to eliminate this execution and instead call my own select statement, however the server side code will only accept the first select statement called, contained within the aforementioned EXEC call. Calling the second statement is easy:
EXEC my_storeProc '12345 ' select * from MySecondTable--
(the -- at the end will block the closing single quote added by the server to prevent errors). My problem is that although there are 2 select statements, the server will only parse the first one. Is there a way to cancel the first EXEC call without throwing an error so that the second one would be taken instead? Perhaps even a UNION but there isn't much I can do with only one variable open to exploit (variable being 12345 in this case).
You have to think of how it will be executed, specifically you want it called so it doesn't raise an exception and put the kabosh on the whole statement. You can't set the result to always true with a proc call, so there is no real way escape the proc. Instead, you'll want to slip a second command in, Your desired code looks like;
exec my_Storeproc '1234'; select * from mysecondtable
So we need to close the quotes, and make a new statement. That would mean the string with the insert needs to be;
1234'; select * from mysecondtable where 1 = '1
There is a flaw in this, whatever command you are executing is not being returned to the UI. To get the data you'll have to add a server connection to the second command.
To make the second command unnecessary you would have to inject code into the proc, which is a non starter since the proc is already complied and sql injection relies on confusing the compiler as to what is data and what is commands. For a more verbose explanation of that check out this answer:
https://security.stackexchange.com/a/25710
I'm trying to create SP with dynamic cursor for obtain the result of any Select statement
CREATE PROCEDURE CursorTest (:query IN VARCHAR(5000)) ;
BEGIN
DECLARE :out VARCHAR;
DECLARE :dynamicCursor CURSOR FOR EXEC (:query);
OPEN dynamicCursor;
/* cursor loop */
Cursorloop:
LOOP
FETCH NEXT FROM `enter code here`Cursorloop INTO :out;
End LOOP;
CLOSE dynamicCursor;
END;
I have 2 problems on that, Declare the cursor with the dynamic query and output the result as a row.
Thanks in advance
Since this question is tagged pervasive I'm assuming you want to achieve this in PervasiveSQL.
I don't think what you are trying to do is possible there. The main reason for this is that - to my knowledge - P-SQL has no aggregate functions to combine arbitrary columns or rows into a string (like e.g. PostgreSQL's string_agg).
Secondly, P-SQL does not support querying by column number. The :query argument can be any statement (even an invalid one!), so you don't know how many columns it'll produce.
On a more essential note: what is it exactly that you want to achieve? This stored procedure looks to me like an overly complicated way of just executing :query, and having no means of handling the result. If logging or analysis is your goal, wouldn't you be better off by using an external, more flexible (scripting) language to deal with the result set? Admittedly SQL is a programming language, but it has its limitations.
Here is a sqlite library problem (using C)
After binding parameters of a prepared statement, how can I print the SQL with the bound parameters for debugging?
I google it and only find a function to print the original prepare statement.
You can't access the prepared statement after the bind(). For debug-purposes, you can sprintf the values into the sql-string and give that to prepare() thus omitting the bind-calls.
What is your original sql string and what are your bind-calls?