maxexplode
diff --git a/‎plsql/dynamic-sql/bind-not-concatenate.sql
Lines changed: 132 additions & 0 deletions b/‎plsql/dynamic-sql/bind-not-concatenate.sql
Lines changed: 132 additions & 0 deletions
diff --git a/‎plsql/dynamic-sql/dbms-assert.sql
Lines changed: 40 additions & 0 deletions b/‎plsql/dynamic-sql/dbms-assert.sql
Lines changed: 40 additions & 0 deletions
diff --git a/‎plsql/dynamic-sql/dynamic-method-3.sql
Lines changed: 104 additions & 0 deletions b/‎plsql/dynamic-sql/dynamic-method-3.sql
Lines changed: 104 additions & 0 deletions
@@ -0,0 +1,132 @@
+/*
+When you are writing a program with dynamic SQL in it (that is, you construct 
+your statement at runtime and execute it with EXECUTE IMMEDIATE or DBMS_SQL - 
+most likely and preferably the former), you should make sure to bind all variable 
+values into that statement, and not concatenate.
+*/
+
+-- Update Any Column In Table - Concatenation
+/*
+Here's a great example of a too-generic subprogram: update any numeric 
+(well, I suppose it would work for strings, too) column in the employees 
+table whose hire date falls within the specified range. I use concatenation 
+to put it all together. That leads to lots of typing, lots of code to look out 
+and lots of single quotes. It is unlikely that a program as generic as this will ever truly be needed!
+*/
+CREATE OR REPLACE PROCEDURE updnumval ( 
+   col_in     IN   VARCHAR2 
+ , start_in   IN   DATE 
+ , end_in     IN   DATE 
+ , val_in     IN   NUMBER 
+) 
+IS 
+   c_format CONSTANT VARCHAR2 ( 100 ) := 'YYYYMMDDHH24MISS'; 
+BEGIN 
+   EXECUTE IMMEDIATE    'UPDATE employees SET ' 
+                     || col_in 
+                     || ' = ' 
+                     || val_in 
+                     || ' WHERE hire_date BETWEEN TO_DATE (''' 
+                     || TO_CHAR ( start_in, c_format ) 
+                     || ''', ''' 
+                     || c_format 
+                     || ''') AND TO_DATE (''' 
+                     || TO_CHAR ( end_in, c_format ) 
+                     || ''', ''' 
+                     || c_format 
+                     || ''')'; 
+END; 
+/
+
+BEGIN 
+   updnumval ('salary', 
+              DATE '2002-01-01', 
+              DATE '2002-12-31', 
+              20000); 
+END; 
+/
+
+SELECT * 
+  FROM employees 
+ WHERE salary = 20000 ;
+
+-- Well You Don't Need All Those Single Quotes
+/*
+A rewrite of the original, still full of concatenation, but now using the Q literal 
+terminator feature to specify another character as the terminator of the literal, 
+so I can avoid having code like ''','''. I'm not convinced this is all that much better - 
+the benefit is more obvious when you are a large dynamic SQL statement as a single 
+string - full of doubled-up quotes.
+*/
+CREATE OR REPLACE PROCEDURE updnumval ( 
+   col_in     IN   VARCHAR2 
+ , start_in   IN   DATE 
+ , end_in     IN   DATE 
+ , val_in     IN   NUMBER 
+) 
+IS 
+   c_format CONSTANT VARCHAR2 ( 100 ) := 'YYYYMMDDHH24MISS'; 
+BEGIN 
+   EXECUTE IMMEDIATE    'UPDATE employees SET ' 
+                     || col_in 
+                     || ' = ' 
+                     || val_in 
+                     || q'[ WHERE hire_date BETWEEN TO_DATE (']' 
+                     || TO_CHAR ( start_in, c_format ) 
+                     || q'[', ']' 
+                     || c_format 
+                     || q'[') AND TO_DATE (']' 
+                     || TO_CHAR ( end_in, c_format ) 
+                     || q'[', ']' 
+                     || c_format 
+                     || q'[')]'; 
+END; 
+/
+
+BEGIN 
+   updnumval ('salary', 
+              DATE '2002-01-01', 
+              DATE '2002-12-31', 
+              30000); 
+END; 
+/
+
+SELECT * 
+  FROM employees 
+ WHERE salary = 30000 ;
+
+-- Switch to Binding with USING Clause
+/*
+ Now I rewrite the procedure to bind everything I can possibly bind:
+ the column value, low and high dates. My code is much simpler, easier to read, 
+ and is performance-optimized (more likely to avoid unnecessary parsing). 
+ Note that I cannot bind in the column NAME. That information is needed in 
+ order to parse the SQL statement (which comes before binding). 
+*/
+CREATE OR REPLACE PROCEDURE updnumval (col_in     IN VARCHAR2, 
+                                       start_in   IN DATE, 
+                                       end_in     IN DATE, 
+                                       val_in     IN NUMBER) 
+IS 
+BEGIN 
+   EXECUTE IMMEDIATE 
+         'UPDATE employees SET ' 
+      || col_in 
+      || ' = :val  
+        WHERE hire_date BETWEEN :lodate AND :hidate' 
+      USING val_in, start_in, end_in; 
+END; 
+/
+
+BEGIN 
+   updnumval ('salary', 
+              DATE '2002-01-01', 
+              DATE '2002-12-31', 
+              40000); 
+END; 
+/
+
+SELECT * 
+  FROM employees 
+ WHERE salary = 40000 ;
+
@@ -0,0 +1,40 @@
+/*
+Use DBMS_ASSERT to help guard against SQL injection.
+
+The DBMS_ASSERT package was introduced in Oracle 10g Release 2. It contains functions 
+that help developers sanitize user input and reduce the likelihood of SQL injection 
+in applications that concatenate text (they do NOT use bind variables).
+*/
+
+BEGIN 
+   sys.DBMS_OUTPUT.put_line (DBMS_ASSERT.schema_name ('HR')); 
+END; 
+/
+
+BEGIN 
+   sys.DBMS_OUTPUT.put_line (DBMS_ASSERT.sql_object_name ('EMPLOYEES')); 
+END; 
+/
+
+BEGIN 
+   sys.DBMS_OUTPUT.put_line (DBMS_ASSERT.qualified_sql_name  ('HR.EMPLOYEES')); 
+END; 
+/
+
+BEGIN 
+   sys.DBMS_OUTPUT.put_line (DBMS_ASSERT.schema_name ('HR')); 
+END; 
+/
+
+BEGIN 
+   sys.DBMS_OUTPUT.put_line (DBMS_ASSERT.schema_name ('WHO_ME')); 
+END; 
+/
+
+BEGIN 
+   DBMS_OUTPUT.put_line ( 
+      DBMS_ASSERT.sql_object_name ( 
+         'EMPLOYEES, (SELECT * FROM ALL_USERS) u')); 
+END; 
+/
+
@@ -0,0 +1,104 @@
+/*
+Method 3 Dynamic SQL: a SELECT statement whose select list (number of elements 
+returned by the query) and bind variables are fixed at compile-time. For more 
+information on dynamic SQL in PL/SQL: 
+
+https://stevenfeuersteinonplsql.blogspot.com/2016/07/a-quick-guide-to-writing-dynamic-sql-in.html
+*/
+
+CREATE TABLE employees 
+AS 
+   SELECT * FROM hr.employees ;
+
+-- Concatenate Table Name, Bind One Variable, Return Two Values
+-- Yes, all of that! Notice that I don't trust the table name provided. 
+-- I use DBMS_ASSERT to make sure it's a valid table name. 
+DECLARE  
+   l_last_name   employees.last_name%TYPE;  
+   l_salary      employees.salary%TYPE;  
+  
+   PROCEDURE show_value (table_in IN VARCHAR2, id_in IN INTEGER)  
+   IS  
+   BEGIN  
+      EXECUTE IMMEDIATE  
+            'SELECT last_name, salary FROM '  
+         || sys.DBMS_ASSERT.sql_object_name (table_in)  
+         || ' WHERE employee_id = :id_value'  
+         INTO l_last_name, l_salary  
+         USING id_in;  
+  
+      DBMS_OUTPUT.put_line (l_last_name || ' Earning ' || l_salary);  
+   END;  
+BEGIN  
+   show_value ('EMPLOYEES', 138);  
+END; 
+/
+
+DECLARE 
+   l_employee   employees%ROWTYPE; 
+BEGIN 
+   EXECUTE IMMEDIATE 'SELECT * FROM EMPLOYEES WHERE EMPLOYEE_ID = :empid' 
+      INTO l_employee 
+      USING 138; 
+ 
+   DBMS_OUTPUT.put_line (l_employee.last_name); 
+END allrows_by; 
+/
+
+-- Use BULK COLLECT with EXECUTE IMMEDIATE
+-- Sure, why not? Get all or specified set of rows and load a collection!
+DECLARE  
+   TYPE employee_ntt IS TABLE OF employees%ROWTYPE;  
+  
+   l_employees   employee_ntt;  
+BEGIN  
+   EXECUTE IMMEDIATE 'SELECT * FROM employees' BULK COLLECT INTO l_employees;  
+  
+   DBMS_OUTPUT.put_line (l_employees.COUNT);  
+END allrows_by; 
+/
+
+-- Use OPEN FOR to Fetch From Dynamic SELECT
+-- In Oracle8, when native dynamic SQL was first introduced, you could not 
+-- use BULK COLLECT with EXECUTE IMMEDIATE. So, instead, you could use OPEN 
+-- FOR to assign a cursor variable to the dynamic SELECT, and then FETCH BULK COLLECT.
+
+DECLARE  
+   l_cursor      SYS_REFCURSOR;  
+  
+   TYPE employee_ntt IS TABLE OF employees%ROWTYPE;  
+  
+   l_employees   employee_ntt;  
+BEGIN  
+   OPEN l_cursor FOR 'SELECT * FROM employees';  
+  
+   FETCH l_cursor BULK COLLECT INTO l_employees;  
+  
+   DBMS_OUTPUT.put_line (l_employees.COUNT);  
+  
+   CLOSE l_cursor;  
+END allrows_by; 
+/
+
+-- And With a LIMIT Clause
+DECLARE  
+   l_cursor      SYS_REFCURSOR;  
+  
+   TYPE employee_ntt IS TABLE OF employees%ROWTYPE;  
+  
+   l_employees   employee_ntt;  
+BEGIN  
+   OPEN l_cursor FOR 'SELECT * FROM employees';  
+  
+   LOOP  
+      FETCH l_cursor BULK COLLECT INTO l_employees LIMIT 100;  
+  
+      EXIT WHEN l_employees.COUNT = 0;  
+  
+      DBMS_OUTPUT.put_line (l_employees.COUNT);  
+   END LOOP;  
+  
+   CLOSE l_cursor;  
+END allrows_by; 
+/
+