Menu
Is there a way to pass column and table names dynamically to a query using bind variables? This could be done by using a simple concatenation operator ||, but I would like a different approach by which this can be achieved.
EDIT
OPEN abc_cur FOR 'Select :column_name
from :table_name'
USING column_name,table_name;
In this example I am passing column_name as empno,ename and table_name as emp
But this approach is not working for me. Is it possible to have a different approach other that the traditional approach of concatenation?
656
Rules for using bind variables with Execute Immediate of Native Dynamic SQL. In native dynamic SQL we need to list down the values for all the bind variables used in the SQL query beforehand. You cannot use schema object names such as table name as bind argument in native dynamic SQL.
The best way to pass the dynamic values to a SQL query is by using parameters. In order to use this option, click on "Edit query" in "Execute Query" or "Execute nonquery" activity. Click on the Parameters property in the Input section and pass the parameters.
Bind parameters—also called dynamic parameters or bind variables—are an alternative way to pass data to the database. Instead of putting the values directly into the SQL statement, you just use a placeholder like ? , :name or @name and provide the actual values using a separate API call.
To use bind variables in an Oracle SQL query, you use the colon character : to indicate a bind variable. You use : then the variable name.
Table and column names cannot be passed as bind variables, no. The whole point of bind variables is that Oracle can generate a query plan once for the statement and then execute it many times with different bind variable values. If the optimizer doesn't know what table is being accessed or what columns are being selected and filtered on, it can't generate a query plan.
If your concern relates to SQL injection attacks, and assuming that dynamic SQL is actually necessary (most of the time, the need to resort to dynamic SQL implies problems with the data model), you can use the DBMS_ASSERT package to validate that the table names and column names don't contain embedded SQL.
65
No you cannot. Changing the table or column names in a query changes the semantics of that query - i.e. it becomes a different query.
Bind variables are all about passing different values to the same query. The optimiser can reuse the query with different values without having to re-parse it and optimise it.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
