PL/SQL oracle 过程没有返回任何值
PL/SQL oracle procedure dose not returen any value
我有这个 oracle 程序读取带有 varchar 值的参数,当我在程序中使用这个参数值时,它不起作用。一切都会在下面解释
CREATE OR REPLACE procedure test_pro(read_batch in varchar2 )
as
v_read_batches varchar2(500);
begin
v_read_batches := '''' || replace(read_batch, ',', ''',''') || '''';
--v_read_batches VALUE IS '100','1000','11','9200'
SELECT CODE,BANK_NAME_ARABIC,BANK_CODE,to_number(BATCH_ID)BATCH_ID FROM (select 1 CODE,PB.BANK_NAME_ARABIC ,to_char(PB.BANK_CODE)BANK_CODE,
CASE PB.BANK_CODE
WHEN 1000
THEN 1000
WHEN 100
THEN 100
ELSE 9200
END batch_id
from BANKS PB
WHERE PB.BANK_CODE IN (1000,100,11200)
union
SELECT 2 CODE,'Other Banks' other_banks,listagg(PB.BANK_CODE , ', ')
within group(order by PB.BANK_CODE ) as BANK_CODE, 11 batch_id
FROM BANKS PB
WHERE PB.BANK_CODE NOT IN (1000,100,9200))
WHERE to_char(BATCH_ID) IN (v_read_batches)
end test_pro;
问题是当我将 v_read_batches 放入 sql 条件时它没有返回任何值,当我执行
下面的 sql 单独在 v_read_batches 变量中具有相同的值它可以工作并返回值 !!
SELECT CODE,BANK_NAME_ARABIC,BANK_CODE,to_number(BATCH_ID)BATCH_ID
FROM (select 1 CODE,PB.BANK_NAME_ARABIC
,to_char(PB.BANK_CODE)BANK_CODE, CASE PB.BANK_CODE
WHEN 1000
THEN 1000
WHEN 100
THEN 100
ELSE 9200 END batch_id from BANKS PB WHERE PB.BANK_CODE IN (1000,100,11200)
union SELECT 2 CODE,'Other Banks' other_banks,listagg(PB.BANK_CODE ,
', ') within group(order by PB.BANK_CODE ) as BANK_CODE, 11 batch_id
FROM BANKS PB WHERE PB.BANK_CODE NOT IN (1000,100,9200))
WHERE to_char(BATCH_ID) IN ('100','1000','11','9200')
您不能构建这样的字符串并希望在 IN 语句中使用它。 IN 子句中的元素是静态的,即,如果您编码
col in ('123,456')
然后我们正在寻找 COL 来匹配字符串 '123,456' 而不是元素 123 和 456。
您可以通过一些SQL将输入字符串转换为行,例如
create table t as select '123,456,789' acct from dual
select distinct (instr(acct||',',',',1,level)) loc
from t
connect by level <= length(acct)- length(replace(acct,','))+1
完成此操作后,您可以更改您的程序,以便您的
WHERE batch_id in (read_batch)
变成
WHERE batch_id in (select distinct (instr(:batch||',',',',1,level)) loc
from t
connect by level <= length(:batch)- length(replace(:batch,','))+1
)
在一般意义上,永远不要将来自外部世界的输入直接折叠到 SQL 语句中。你创造了“SQL 注入”的风险,这是人们被黑客攻击的最常见方式。
有关字符串到行技术的完整视频演示:
https://youtu.be/cjvpXL3H64c?list=PLJMaoEWvHwFIUwMrF4HLnRksF0H8DHGtt
我有这个 oracle 程序读取带有 varchar 值的参数,当我在程序中使用这个参数值时,它不起作用。一切都会在下面解释
CREATE OR REPLACE procedure test_pro(read_batch in varchar2 )
as
v_read_batches varchar2(500);
begin
v_read_batches := '''' || replace(read_batch, ',', ''',''') || '''';
--v_read_batches VALUE IS '100','1000','11','9200'
SELECT CODE,BANK_NAME_ARABIC,BANK_CODE,to_number(BATCH_ID)BATCH_ID FROM (select 1 CODE,PB.BANK_NAME_ARABIC ,to_char(PB.BANK_CODE)BANK_CODE,
CASE PB.BANK_CODE
WHEN 1000
THEN 1000
WHEN 100
THEN 100
ELSE 9200
END batch_id
from BANKS PB
WHERE PB.BANK_CODE IN (1000,100,11200)
union
SELECT 2 CODE,'Other Banks' other_banks,listagg(PB.BANK_CODE , ', ')
within group(order by PB.BANK_CODE ) as BANK_CODE, 11 batch_id
FROM BANKS PB
WHERE PB.BANK_CODE NOT IN (1000,100,9200))
WHERE to_char(BATCH_ID) IN (v_read_batches)
end test_pro;
问题是当我将 v_read_batches 放入 sql 条件时它没有返回任何值,当我执行 下面的 sql 单独在 v_read_batches 变量中具有相同的值它可以工作并返回值 !!
SELECT CODE,BANK_NAME_ARABIC,BANK_CODE,to_number(BATCH_ID)BATCH_ID FROM (select 1 CODE,PB.BANK_NAME_ARABIC ,to_char(PB.BANK_CODE)BANK_CODE, CASE PB.BANK_CODE WHEN 1000 THEN 1000 WHEN 100 THEN 100
ELSE 9200 END batch_id from BANKS PB WHERE PB.BANK_CODE IN (1000,100,11200)union SELECT 2 CODE,'Other Banks' other_banks,listagg(PB.BANK_CODE , ', ') within group(order by PB.BANK_CODE ) as BANK_CODE, 11 batch_id FROM BANKS PB WHERE PB.BANK_CODE NOT IN (1000,100,9200))
WHERE to_char(BATCH_ID) IN ('100','1000','11','9200')
您不能构建这样的字符串并希望在 IN 语句中使用它。 IN 子句中的元素是静态的,即,如果您编码
col in ('123,456')
然后我们正在寻找 COL 来匹配字符串 '123,456' 而不是元素 123 和 456。
您可以通过一些SQL将输入字符串转换为行,例如
create table t as select '123,456,789' acct from dual
select distinct (instr(acct||',',',',1,level)) loc
from t
connect by level <= length(acct)- length(replace(acct,','))+1
完成此操作后,您可以更改您的程序,以便您的
WHERE batch_id in (read_batch)
变成
WHERE batch_id in (select distinct (instr(:batch||',',',',1,level)) loc
from t
connect by level <= length(:batch)- length(replace(:batch,','))+1
)
在一般意义上,永远不要将来自外部世界的输入直接折叠到 SQL 语句中。你创造了“SQL 注入”的风险,这是人们被黑客攻击的最常见方式。
有关字符串到行技术的完整视频演示:
https://youtu.be/cjvpXL3H64c?list=PLJMaoEWvHwFIUwMrF4HLnRksF0H8DHGtt