Suppose I have a search functionality in front end written in Java. I have a text box for example name. When I pass a name or a character it works fine, but when I pass any special character, it's not working because I am sending this parameter to the oracle procedure, which is using dynamic query.
Suppose the query in my procedure is this:
create or replace procedure abc
(abc IN table.name%type
,p_abc abc_cur
)
is
v_var varchar2(2000);
begin
v_var:='select * from table where name LIKE '%'NVL(p_name,name)'%'';
open c1 for v_var;
end abc;
When I pass [%,_ ,.] it search on the basis of wild card characters as you see in the query.
Now when I pass ['] only then it gives an exception. Please tell me a solution how to handle this is backend, I don't want to consider any special character in the query and the use of dynamic query is compulsory.
NOTE: Please see parameters within braces[] are separa开发者_Go百科ted by comma.
I am using Oracle as RDBMS.
escape! Don't let the user use %. Also beware of sql injection. (Other chars to keep an aye on are _ and ?)
Btw in oracle you can user something like
SELECT * FROM TABLE_A WHERE FIELD LIKE '%sometext\%%' escape by '\'
Regards
EDIT: I prefer using cursor in for loops
for x in (select whatever from whenever) loop
DBMS_OUTPUT.putLine(x.field);
end loop;
this saves me from managing closures in exception handlers and cursor syntax
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论