You could build an update string and then run it via a dynamic action and execute immediate...
Elephants wear tu-tus so they can hide in pine trees. Did you ever see an elephant in a pine tree? No? Well then, you know it works.
I am trying to create a page where a user can enter/select values and click submit, and a table is updated with the selected values.
I have 6 items on my page:
TABLE_NAME (popup LOV -4 different table names-)
COLUMN1 (select list based on the table_name value -displays the column names based on what table is selected-)
COLUMN2 (select list based on the table_name value -displays the column names based on what table is selected-)
OPERATOR (operators such as: =, !=, in, not in, >,<,etc)
When the user clicks "update" I want the following script to run:
- UPDATE :TABLE_NAME
- SET :COLUMN1 := :VALUE1
- WHERE :COLUMN2 :OPERATOR :VALUE2
I created a DA with the above code but it doesn't compile.
Is there a way to do this?
SERVER: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
Eeek! This is the express service to SQL Injection Central!
What validation do you have in place to prevent this gaping hole into your database being exploited?
Strongly recommend that you reconsider this approach as it is a security nightmare.
1 person found this helpful
From a database standpoint, what you want to do is a horrible idea. You can try asking over in General Database Discussions to see what they think.
You're better off teaching people how to write proper UPDATE statements.
Things like TABLE NAME, COLUMN NAME, and OPERATOR can not be 'bind' variables.
(again, this is a database thing, not an apex thing)
If you still want to do that, what you desire is called "dynamic sql".
Then, you'll want to use DBMS_SQL so that you can 'parse' the actual SQL.. (not just 'BIND' it)
Again, you're better off asking people in the General Database Discussions forum as what you want to do is a database thing, not an APEX thing.
ps - for your own safety, I'm not telling you how to do it.
Thanks for the info.
As far as the SQL Injection goes, I know this is a bad way to do it.
I was hoping that because most likely the only person who would be using/able to access this page would be the Project Manager, so it's less likely that he will want to/have the knowledge to screw up the database because it would screw up the whole project.