I have a SQL query which is parameterized by a very limited in-house framework. The query looks like this:
Select * from somewhere
where name IN (:parameter);
The code will inject zero to many strings into the location specified by :parameter. The ":parameter" flag can only be used within the "IN" clause (so it can't be moved after the where clause to conditionally insert the 'name IN') section.
Sometimes the user will set parameter to:
'dog', 'cat'
Other times, the user will not put any values into the :parameter variable. This causes a problem since the resulting SQL query will be:
Select * from somewhere
where name IN ();
My code can catch the case where parameter is empty, but I need something which I can inject into the IN statement which is guaranteed to NEVER match an actual string.
Is there any SQL regular expression which I could inject which would NEVER match any string? Something like %.% or something....
Thanks!
Answer: Oracle allows up to 1,000 IN list values in a SQL statement.
The IN operator allows you to specify multiple values in a WHERE clause. The IN operator is a shorthand for multiple OR conditions.
The number of values in the IN Caluse can vary anywhere from 0 to thousands.
You can say:
where name in (null)
This will never match, since nothing is equal to null
(not even null
itself.)
null
should not match with anything.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With