[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 487
  • Last Modified:

using IN operator with USING clause

in regards to this:
http://www.experts-exchange.com/Database/Oracle/PL_SQL/Q_27377089.html

I've the procedure:

proc(param1 varchar2, param2 varchar2)
 open ref_cursor for
  'select * from sometable where param1 like :param1 and param2 in :param2'
   using '%'||param1||'%', '('||param2||')'

LIKE operator works fine for param1 but IN operator won't work for param2.. Tried all possible input scenarios..

i'm calling the procedure in sqlplus like this:

exec :v:=proc('something','''id1'',''id2''')

tried also
proc('something','id1'',''id2')

no errors but always zero records output..but there are matching records in the database.. help please?


0
ram_0218
Asked:
ram_0218
  • 4
  • 2
  • 2
1 Solution
 
sdstuberCommented:
you can't bind an "IN" collection like that.

you can use something like str2tbl though...


CREATE OR REPLACE TYPE  VCARRAY AS TABLE OF VARCHAR2(4000);

CREATE OR REPLACE FUNCTION str2tbl(p_string IN VARCHAR2, p_delimiter IN VARCHAR2 := ',')
        RETURN vcarray PIPELINED
    AS
        v_length   NUMBER := LENGTH(p_string);
        v_start    NUMBER := 1;
        v_index    NUMBER;
    BEGIN
        WHILE(v_start <= v_length)
        LOOP
            v_index    := INSTR(p_string, p_delimiter, v_start);

            IF v_index = 0
            THEN
                PIPE ROW(SUBSTR(p_string, v_start));
                v_start    := v_length + 1;
            ELSE
                PIPE ROW(SUBSTR(p_string, v_start, v_index - v_start));
                v_start    := v_index + 1;
            END IF;
        END LOOP;

        RETURN;
            WHEN NO_DATA_NEEDED THEN
            null;
    END str2tbl;

0
 
sdstuberCommented:
elect * from sometable where param1 like :param1 and param2 in (select * from str2tbl(:param2))'
   using '%'||param1||'%', param2
0
 
ram_0218Author Commented:
Thanks.. Missing Right Paranthesis with the code above.. but the parenthesis are correctly matching..
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
sdstuberCommented:
Oops, I forgot the table function

table(str2tbl(:param2))

0
 
slightwv (䄆 Netminder) Commented:
You can't do it using bind variables but you can using string concatenation.
create or replace procedure myproc(inVar1 in varchar2, outCur out sys_refcursor)
is
begin
	open outCur for
		'select ''Hello'' from dual where dummy in (' || inVar1 || ')';

end;
/

show errors

--sqlplus setup to test it
var myCur refcursor

exec myProc('''X'',''Y'',''Z''', :mycur);

print mycur

Open in new window

0
 
sdstuberCommented:
'select * from sometable where param1 like :param1 and param2 in (select * from table(str2tbl(:param2)))'
   using '%'||param1||'%', param2;


but,  I have to wonder,  why are you using dynamic sql for this?  Nothing in your example is dynamic.

proc(param1 varchar2, param2 varchar2)
 open ref_cursor for
  select * from sometable 
       where sometable.param1 like proc.param1 
       and sometable.param2 in (select * from table(str2tbl(procparam2)));

Open in new window



for simplicity,  I recommend giving your variables and your columns with different names
0
 
ram_0218Author Commented:
thanks, table(..) worked great..

Just before closing out the question,

slightvv, yes the current implementation we have is using concatenation.. but it's introducing sql injection vulnerablity which is why we're changing this to dynamic binding.. any other ideas / suggestions?
0
 
slightwv (䄆 Netminder) Commented:
If your app will allow injected IN values then no, I cannot think of a way around it off the top of my head.

Can you not check for syntax to see 'extra' values injected?
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now