Writing SQL injection proof dynamic DDL in Oracle

dynamic-sqloracle-12c

I have a need to write dynamic DDL statements such as CREATE USER ?. I know that I can use EXECUTE IMMEDIATE to do this, but so far I have found no way to incorporate dynamic parameters without simply concatenating strings, which leaves me open to SQL injection.

Coming from PostgreSQL I an used to being able to quote identifiers or using FORMAT to safely put identifiers into a formatted string that can then be executed. Is there anything like this in Oracle (particularly 12c)? If not, how does one perform such dynamic SQL safely?

Best Answer

DBMS_ASSERT might be what you're looking for:

╔═════════════════════════════╦══════════════════════════════════════════════════════════════════════════════════════════════════╗
║         Subprogram          ║                                           Description                                            ║
╠═════════════════════════════╬══════════════════════════════════════════════════════════════════════════════════════════════════╣
║ ENQUOTE_LITERAL Function    ║ Enquotes a string literal                                                                        ║
║ ENQUOTE_NAME Function       ║ Encloses a name in double quotes                                                                 ║
║ NOOP Functions              ║ Returns the value without any checking                                                           ║
║ QUALIFIED_SQL_NAME Function ║ Verifies that the input string is a qualified SQL name                                           ║
║ SCHEMA_NAME Function        ║ Verifies that the input string is an existing schema name                                        ║
║ SIMPLE_SQL_NAME Function    ║ Verifies that the input string is a simple SQL name                                              ║
║ SQL_OBJECT_NAME Function    ║ Verifies that the input parameter string is a qualified SQL identifier of an existing SQL object ║
╚═════════════════════════════╩══════════════════════════════════════════════════════════════════════════════════════════════════╝

That same page also links to some examples on how you can avoid SQL injection.

Related Solutions

Sql-server – Print Parameters in Dynamic SQL

One way to get this done is probably something you have already done, and that is to replace your line:

if @DebugMode=1 print @SQL

with

if @DebugMode=1 print @SQL + ' ' + convert(nvarchar(max), @Foobar)

And you would have to do it this way for all your variables, you will need to convert them manually to avoid conversion errors.

You could also use RAISERROR in a similar fashion:

if @DebugMode=1 RAISERROR (N'We used a value of %d for @Foobar', 10, 1, @Foobar)

HTH

Using dynamic sql inside Oracle stored procedure

The only reason why I might do that is if I needed to address an object that might not exist at compile time -- for example if I had code to create new external tables as required.

As this implies, the dynamic SQL statement is not parsed when the PL/SQL compiles, so you have no idea whether it is correct or not, and dependencies are not stored in the database.

Best Answer

Related Solutions

Sql-server – Print Parameters in Dynamic SQL

Using dynamic sql inside Oracle stored procedure

Related Question