Oracle function

Question

Oracle function

Is there any function in oracle that avoids invalid characters in sql query? I have code that builds a query from another line, and some of them may contain the character ' , this breaks the sql query.

+4

oracle sql-injection escaping

michael nesterenko Aug 20 '11 at 17:10

source share

3 answers

you should never create queries from strings - use parameters instead ... otherwise, there is always a chance that someone will find a way to inject some SQL.

+4

Yahia Aug 20 '11 at 17:13

source share

Two single quotes escape a single quotation mark. So use '' instead of ' in your string.

+3

Datajam Aug 20 '11 at 22:11

source share

Justin cave · Accepted Answer · 2011-08-20T19:18:58+0000

As Yahia points out, you should always use bind variables and not dynamically collect SQL queries dynamically. This is the right way to protect yourself from SQL injection attacks. Failure provides a much lower level of protection.

However, assuming you are using Oracle 10.1 or later, you can use q quoting syntax. Sort of

  1 select q'[This is a string with an embedded ']' str 2* from dual SQL> / STR ----------------------------------- This is a string with an embedded '

You can replace characters [and] with the number of other characters, depending on what characters can be displayed in the string

  1 select q'<This is a string with an embedded '>' str 2* from dual SQL> / STR ----------------------------------- This is a string with an embedded ' SQL> ed Wrote file afiedt.buf 1 select q'{This is a string with an embedded '}' str 2* from dual SQL> / STR ----------------------------------- This is a string with an embedded '

Oracle function

More articles: