Security risk of ref cursor & dynamic sql
Hi guys,
I am using Ref Cursor to execute a dynamic sql in my stored procedure. Inputs to the dynamic SQL are passed in as parameters. My code fragments:
parameters:
CREATE PROCEDURE mm_select(
aaa IN VARCHAR2,
bbb IN VARCHAR2 )
in the code:
sqlstmt := 'SELECT * FROM dbaivoc.mm ' ||
'WHERE b in (' || role_id_list || ') ' ||
'AND c = '|| application_fn_id_list ;
OPEN RC1 FOR sqlstmt;
My question is, is it possible for anyone to pass in a malicious SQL like drop table xxx into the parameter list eg. exec mm_select(1,'1; drop table aa;')
I've tried but it doesn't seem to work. I'm just asking for confirmation. Thanks for any help!
rgds,
mas
I don't see in your small pieces of code what the input parameters aaa and bbb are used for.
If your statement is always
sqlstmt := 'select ....'
then I don't see how this can be changed to 'drop table ...'.
It would be something different if you have something like this in your procedure:
execute immediate bbb;
Similar Messages
-
Issue in using Cursor+Dynamic SQL+ Bulk collect +FORALL
Hi,
I have a dynamic query which I need to use as a cursor to fetch records that inturn need to be inserted into a staging table.
The issue I am facing is I am not sure how to declare the variable to fetch the records into. Since I am using a dynamic cursor how do I declare it?
My code looks something like this -
TYPE c_details_tbl_type IS REF CURSOR;
c_details c_details_tbl_type;
TYPE c_det_tbl_type IS TABLE OF c_details%ROWTYPE INDEX BY PLS_INTEGER;
c_det_tbl c_det_tbl_type; -- ???
BEGIN
v_string1 := 'SELECT....'
v_string2 := ' UNION ALL SELECT....'
v_string3 := 'AND ....'
v_string := v_string1||v_string2||v_string3;
OPEN c_details FOR v_string;
LOOP
FETCH c_details BULK COLLECT
INTO c_det_tbl LIMIT 1000;
IF (c_det_tbl.COUNT > 0) THEN
DELETE FROM STG;
FORALL i IN 1..c_det_tbl.COUNT
INSERT INTO STG
VALUES (c_det_tbl(i));
END IF;
EXIT WHEN c_details%NOTFOUND;
END LOOP;
CLOSE c_details;
END
ThanksWhy the bulk collect? All that this does is slow down the read process (SELECT) and write process (INSERT).
Data selected needs (as a collection) to be pushed into the PGA memory of the PL/SQL engine. And then that very same data needs to be pushed again by the PL/SQL engine back to the database to be inserted. Why?
It is a lot faster, needs a lot less resources, with fewer moving parts, to simply instruct the SQL engine to do both these steps using a single INSERT..SELECT statement. And this can support parallel DML too for scalability when data volumes get large.
It is also pretty easy to make a single SQL statement like this dynamic and even support bind variables.
Simplicity is the ultimate form of elegance. Pushing data needlessly around is not simple and thus not a very elegant way to address the problem. -
Display output of ref cursor in sql developer
Hi,
I am writing following procedure.
create or replace
procedure test_output(
arg_like in varchar2,
cv_results in out sys_refcursor)
is
Type sys_refcursor is ref cursor;
begin
open cv_results for
select * from claim_status where status_id like 'arg_like%';
end;
I would like to check the output by running the procedure in sql developer.Boneist wrote:
What, not even if you run it as a script?
This is in the [SQL Developer Documentation|http://download.oracle.com/docs/cd/E12151_01/doc.150/e12152/intro.htm#CHDJBBIH] :
1.7.1 SQL*Plus Statements Supported and Not Supported in SQL WorksheetThe SQL Worksheet supports some SQL*Plus statements. SQL*Plus statements must be interpreted by the SQL Worksheet before being passed to the database; any SQL*Plus that are not supported by the SQL Worksheet are ignored and not passed to the database.
The following SQL*Plus statements are not supported by the SQL Worksheet:
a[ppend]
archive
attr[ibute]
bre[ak]
bti[tle]
c[hange]
col[ulmn]
comp[ute]
copy
del
disc[onnect]
ed[it]
get
help
i[nput]
l[ist]
newpage
oradebug
passw[ord]
print
r[un]
recover
repf[ooter]
reph[eader]
sav[e]
sho[w]
shu[tdown]
spo[ol]
startup
store
tti[tle]
*var[iable]* -
Dynamic sql and ref cursors URGENT!!
Hi,
I'm using a long to build a dynamic sql statement. This is limited by about 32k. This is too short for my statement.
The query results in a ref cursor.
Does anyone have an idea to create larger statement or to couple ref cursors, so I can execute the statement a couple of times and as an result I still have one ref cursor.
Example:
/* Determine if project is main project, then select all subprojects */
for i in isMainProject loop
if i.belongstoprojectno is null then
for i in ProjectSubNumbers loop
if ProjectSubNumbers%rowcount=1 then
SqlStatement := InitialStatement || i.projectno;
else
SqlStatement := SqlStatement || PartialStatement || i.projectno;
end if;
end loop;
else
for i in ProjectNumber loop
if ProjectNumber%rowcount=1 then
SqlStatement := InitialStatement || i.projectno;
else
SqlStatement := SqlStatement || PartialStatement || i.projectno;
end if;
end loop;
end if;
end loop;
/* Open ref cursor */
open sql_output for SqlStatement;
Thanks in advance,
Jeroen Muis
KCI Datasystems BV
mailto:[email protected]Example for 'dynamic' ref cursor - dynamic WHERE
(note that Reports need 'static' ref cursor type
for building Report Layout):
1. Stored package
CREATE OR REPLACE PACKAGE report_dynamic IS
TYPE type_ref_cur_sta IS REF CURSOR RETURN dept%ROWTYPE; -- for Report Layout only
TYPE type_ref_cur_dyn IS REF CURSOR;
FUNCTION func_dyn (p_where VARCHAR2) RETURN type_ref_cur_dyn;
END;
CREATE OR REPLACE PACKAGE BODY report_dynamic IS
FUNCTION func_dyn (p_where VARCHAR2) RETURN type_ref_cur_dyn IS
ref_cur_dyn type_ref_cur_dyn;
BEGIN
OPEN ref_cur_dyn FOR
'SELECT * FROM dept WHERE ' | | NVL (p_where, '1 = 1');
RETURN ref_cur_dyn;
END;
END;
2. Query PL/SQL in Reports
function QR_1RefCurQuery return report_dynamic.type_ref_cur_sta is
begin
return report_dynamic.func_dyn (:p_where);
end;
Regards
Zlatko Sirotic
null -
Dynamic queries in report builder 6i ( ref cursor query )
Hi everyone,
My requirement is that I want to create a report where the query is dynamic. The dynamic part will be known at runtime as it is being passed via a parameter. My query looks like this :
select * from emp where sal :p1 :p2
Possible values for :p1 are - '>', '<', '>=', '<=', '=', '!='
Possible values for :p2 are - any value entered by the user
I tried creating a query in report builder based on a ref cursor. But it does not allow me to create the query for the ref cursor dynamically. That means I have to hardcode the query in the program.
I tried using place holder columns without success.
Can someone please help me ?
Regards,
AlHi,
You can use lexical paramters in the sql query
x - char - parameter
select * from emp &x
you need to pass the value for x in the parameter as
'where sal < 1234'.
Note : Lexical variable should be of char datatype.
This is an alternative to the ref cursors.
This works. Hope this is clear. -
PL/SQL 101 : Cursors and SQL Projection
PL/SQL 101 : Cursors and SQL Projection
This is not a question, it's a forum article, in reponse to the number of questions we get regarding a "dynamic number of columns" or "rows to columns"
There are two integral parts to an SQL Select statement that relate to what data is selected. One is Projection and the other is Selection:-
Selection is the one that we always recognise and use as it forms the WHERE clause of the select statement, and hence selects which rows of data are queried.
The other, SQL Projection is the one that is less understood, and the one that this article will help to explain.
In short, SQL Projection is the collective name for the columns that are Selected and returned from a query.
So what? Big deal eh? Why do we need to know this?
The reason for knowing this is that many people are not aware of when SQL projection comes into play when you issue a select statement. So let's take a basic query...
First create some test data...
create table proj_test as
select 1 as id, 1 as rn, 'Fred' as nm from dual union all
select 1,2,'Bloggs' from dual union all
select 2,1,'Scott' from dual union all
select 2,2,'Smith' from dual union all
select 3,1,'Jim' from dual union all
select 3,2,'Jones' from dual
... and now query that data...
SQL> select * from proj_test;
ID RN NM
1 1 Fred
1 2 Bloggs
2 1 Scott
2 2 Smith
3 1 Jim
3 2 Jones
6 rows selected.
OK, so what is that query actually doing?
To know that we need to consider that all queries are cursors and all cursors are processed in a set manner, roughly speaking...
1. The cursor is opened
2. The query is parsed
3. The query is described to know the projection (what columns are going to be returned, names, datatypes etc.)
4. Bind variables are bound in
5. The query is executed to apply the selection and identify the data to be retrieved
6. A row of data is fetched
7. The data values from the columns within that row are extracted into the known projection
8. Step 6 and 7 are repeated until there is no more data or another condition ceases the fetching
9. The cursor is closed
The purpose of the projection being determined is so that the internal processing of the cursor can allocate memory etc. ready to fetch the data into. We won't get to see that memory allocation happening easily, but we can see the same query being executed in these steps if we do it programatically using the dbms_sql package...
CREATE OR REPLACE PROCEDURE process_cursor (p_query in varchar2) IS
v_sql varchar2(32767) := p_query;
v_cursor number; -- A cursor is a handle (numeric identifier) to the query
col_cnt integer;
v_n_val number; -- numeric type to fetch data into
v_v_val varchar2(20); -- varchar type to fetch data into
v_d_val date; -- date type to fetch data into
rec_tab dbms_sql.desc_tab; -- table structure to hold sql projection info
dummy number;
v_ret number; -- number of rows returned
v_finaltxt varchar2(100);
col_num number;
BEGIN
-- 1. Open the cursor
dbms_output.put_line('1 - Opening Cursor');
v_cursor := dbms_sql.open_cursor;
-- 2. Parse the cursor
dbms_output.put_line('2 - Parsing the query');
dbms_sql.parse(v_cursor, v_sql, dbms_sql.NATIVE);
-- 3. Describe the query
-- Note: The query has been described internally when it was parsed, but we can look at
-- that description...
-- Fetch the description into a structure we can read, returning the count of columns that has been projected
dbms_output.put_line('3 - Describing the query');
dbms_sql.describe_columns(v_cursor, col_cnt, rec_tab);
-- Use that description to define local datatypes into which we want to fetch our values
-- Note: This only defines the types, it doesn't fetch any data and whilst we can also
-- determine the size of the columns we'll just use some fixed sizes for this example
dbms_output.put_line(chr(10)||'3a - SQL Projection:-');
for j in 1..col_cnt
loop
v_finaltxt := 'Column Name: '||rpad(upper(rec_tab(j).col_name),30,' ');
case rec_tab(j).col_type
-- if the type of column is varchar2, bind that to our varchar2 variable
when 1 then
dbms_sql.define_column(v_cursor,j,v_v_val,20);
v_finaltxt := v_finaltxt||' Datatype: Varchar2';
-- if the type of the column is number, bind that to our number variable
when 2 then
dbms_sql.define_column(v_cursor,j,v_n_val);
v_finaltxt := v_finaltxt||' Datatype: Number';
-- if the type of the column is date, bind that to our date variable
when 12 then
dbms_sql.define_column(v_cursor,j,v_d_val);
v_finaltxt := v_finaltxt||' Datatype: Date';
-- ...Other types can be added as necessary...
else
-- All other types we'll assume are varchar2 compatible (implicitly converted)
dbms_sql.DEFINE_COLUMN(v_cursor,j,v_v_val,2000);
v_finaltxt := v_finaltxt||' Datatype: Varchar2 (implicit)';
end case;
dbms_output.put_line(v_finaltxt);
end loop;
-- 4. Bind variables
dbms_output.put_line(chr(10)||'4 - Binding in values');
null; -- we have no values to bind in for our test
-- 5. Execute the query to make it identify the data on the database (Selection)
-- Note: This doesn't fetch any data, it just identifies what data is required.
dbms_output.put_line('5 - Executing the query');
dummy := dbms_sql.execute(v_cursor);
-- 6.,7.,8. Fetch the rows of data...
dbms_output.put_line(chr(10)||'6,7 and 8 Fetching Data:-');
loop
-- 6. Fetch next row of data
v_ret := dbms_sql.fetch_rows(v_cursor);
-- If the fetch returned no row then exit the loop
exit when v_ret = 0;
-- 7. Extract the values from the row
v_finaltxt := null;
-- loop through each of the Projected columns
for j in 1..col_cnt
loop
case rec_tab(j).col_type
-- if it's a varchar2 column
when 1 then
-- read the value into our varchar2 variable
dbms_sql.column_value(v_cursor,j,v_v_val);
v_finaltxt := ltrim(v_finaltxt||','||rpad(v_v_val,20,' '),',');
-- if it's a number column
when 2 then
-- read the value into our number variable
dbms_sql.column_value(v_cursor,j,v_n_val);
v_finaltxt := ltrim(v_finaltxt||','||to_char(v_n_val,'fm999999'),',');
-- if it's a date column
when 12 then
-- read the value into our date variable
dbms_sql.column_value(v_cursor,j,v_d_val);
v_finaltxt := ltrim(v_finaltxt||','||to_char(v_d_val,'DD/MM/YYYY HH24:MI:SS'),',');
else
-- read the value into our varchar2 variable (assumes it can be implicitly converted)
dbms_sql.column_value(v_cursor,j,v_v_val);
v_finaltxt := ltrim(v_finaltxt||',"'||rpad(v_v_val,20,' ')||'"',',');
end case;
end loop;
dbms_output.put_line(v_finaltxt);
-- 8. Loop to fetch next row
end loop;
-- 9. Close the cursor
dbms_output.put_line(chr(10)||'9 - Closing the cursor');
dbms_sql.close_cursor(v_cursor);
END;
SQL> exec process_cursor('select * from proj_test');
1 - Opening Cursor
2 - Parsing the query
3 - Describing the query
3a - SQL Projection:-
Column Name: ID Datatype: Number
Column Name: RN Datatype: Number
Column Name: NM Datatype: Varchar2
4 - Binding in values
5 - Executing the query
6,7 and 8 Fetching Data:-
1 ,1 ,Fred
1 ,2 ,Bloggs
2 ,1 ,Scott
2 ,2 ,Smith
3 ,1 ,Jim
3 ,2 ,Jones
1 ,3 ,Freddy
1 ,4 ,Fud
9 - Closing the cursor
PL/SQL procedure successfully completed.
So, what's really the point in knowing when SQL Projection occurs in a query?
Well, we get many questions asking "How do I convert rows to columns?" (otherwise known as a pivot) or questions like "How can I get the data back from a dynamic query with different columns?"
Let's look at a regular pivot. We would normally do something like...
SQL> select id
2 ,max(decode(rn,1,nm)) as nm_1
3 ,max(decode(rn,2,nm)) as nm_2
4 from proj_test
5 group by id
6 /
ID NM_1 NM_2
1 Fred Bloggs
2 Scott Smith
3 Jim Jones
(or, in 11g, use the new PIVOT statement)
but many of these questioners don't understand it when they say their issue is that, they have an unknown number of rows and don't know how many columns it will have, and they are told that you can't do that in a single SQL statement. e.g.
SQL> insert into proj_test (id, rn, nm) values (1,3,'Freddy');
1 row created.
SQL> select id
2 ,max(decode(rn,1,nm)) as nm_1
3 ,max(decode(rn,2,nm)) as nm_2
4 from proj_test
5 group by id
6 /
ID NM_1 NM_2
1 Fred Bloggs
2 Scott Smith
3 Jim Jones
... it's not giving us this 3rd entry as a new column and we can only get that by writing the expected columns into the query, but then what if more columns are added after that etc.
If we look back at the steps of a cursor we see again that the description and projection of what columns are returned by a query happens before any data is fetched back.
Because of this, it's not possible to have the query return back a number of columns that are based on the data itself, as no data has been fetched at the point the projection is required.
So, what is the answer to getting an unknown number of columns in the output?
1) The most obvious answer is, don't use SQL to try and pivot your data. Pivoting of data is more of a reporting requirement and most reporting tools include the ability to pivot data either as part of the initial report generation or on-the-fly at the users request. The main point about using the reporting tools is that they query the data first and then the pivoting is simply a case of manipulating the display of those results, which can be dynamically determined by the reporting tool based on what data there is.
2) The other answer is to write dynamic SQL. Because you're not going to know the number of columns, this isn't just a simple case of building up a SQL query as a string and passing it to the EXECUTE IMMEDIATE command within PL/SQL, because you won't have a suitable structure to read the results back into as those structures must have a known number of variables for each of the columns at design time, before the data is know. As such, inside PL/SQL code, you would have to use the DBMS_SQL package, just like in the code above that showed the workings of a cursor, as the columns there are referenced by position rather than name, and you have to deal with each column seperately. What you do with each column is up to you... store them in an array/collection, process them as you get them, or whatever. They key thing though with doing this is that, just like the reporting tools, you would need to process the data first to determine what your SQL projection is, before you execute the query to fetch the data in the format you want e.g.
create or replace procedure dyn_pivot is
v_sql varchar2(32767);
-- cursor to find out the maximum number of projected columns required
-- by looking at the data
cursor cur_proj_test is
select distinct rn
from proj_test
order by rn;
begin
v_sql := 'select id';
for i in cur_proj_test
loop
-- dynamically add to the projection for the query
v_sql := v_sql||',max(decode(rn,'||i.rn||',nm)) as nm_'||i.rn;
end loop;
v_sql := v_sql||' from proj_test group by id order by id';
dbms_output.put_line('Dynamic SQL Statement:-'||chr(10)||v_sql||chr(10)||chr(10));
-- call our DBMS_SQL procedure to process the query with it's dynamic projection
process_cursor(v_sql);
end;
SQL> exec dyn_pivot;
Dynamic SQL Statement:-
select id,max(decode(rn,1,nm)) as nm_1,max(decode(rn,2,nm)) as nm_2,max(decode(rn,3,nm)) as nm_3 from proj_test group by id order by id
1 - Opening Cursor
2 - Parsing the query
3 - Describing the query
3a - SQL Projection:-
Column Name: ID Datatype: Number
Column Name: NM_1 Datatype: Varchar2
Column Name: NM_2 Datatype: Varchar2
Column Name: NM_3 Datatype: Varchar2
4 - Binding in values
5 - Executing the query
6,7 and 8 Fetching Data:-
1 ,Fred ,Bloggs ,Freddy
2 ,Scott ,Smith ,
3 ,Jim ,Jones ,
9 - Closing the cursor
PL/SQL procedure successfully completed.
... and if more data is added ...
SQL> insert into proj_test (id, rn, nm) values (1,4,'Fud');
1 row created.
SQL> exec dyn_pivot;
Dynamic SQL Statement:-
select id,max(decode(rn,1,nm)) as nm_1,max(decode(rn,2,nm)) as nm_2,max(decode(rn,3,nm)) as nm_3,max(decode(rn,4,nm)) as nm_4 from proj_test group by id order by id
1 - Opening Cursor
2 - Parsing the query
3 - Describing the query
3a - SQL Projection:-
Column Name: ID Datatype: Number
Column Name: NM_1 Datatype: Varchar2
Column Name: NM_2 Datatype: Varchar2
Column Name: NM_3 Datatype: Varchar2
Column Name: NM_4 Datatype: Varchar2
4 - Binding in values
5 - Executing the query
6,7 and 8 Fetching Data:-
1 ,Fred ,Bloggs ,Freddy ,Fud
2 ,Scott ,Smith , ,
3 ,Jim ,Jones , ,
9 - Closing the cursor
PL/SQL procedure successfully completed.
Of course there are other methods, using dynamically generated scripts etc. (see Re: 4. How do I convert rows to columns?), but the above simply demonstrates that:-
a) having a dynamic projection requires two passes of the data; one to dynamically generate the query and another to actually query the data,
b) it is not a good idea in most cases as it requires code to handle the results dynamically rather than being able to simply query directly into a known structure or variables, and
c) a simple SQL statement cannot have a dynamic projection.
Most importantly, dynamic queries prevent validation of your queries at the time your code is compiled, so the compiler can't check that the column names are correct or the tables names, or that the actual syntax of the generated query is correct. This only happens at run-time, and depending upon the complexity of your dynamic query, some problems may only be experienced under certain conditions. In effect you are writing queries that are harder to validate and could potentially have bugs in them that would are not apparent until they get to a run time environment. Dynamic queries can also introduce the possibility of SQL injection (a potential security risk), especially if a user is supplying a string value into the query from an interface.
To summarise:-
The projection of an SQL statement must be known by the SQL engine before any data is fetched, so don't expect SQL to magically create columns on-the-fly based on the data it's retrieving back; and, if you find yourself thinking of using dynamic SQL to get around it, just take a step back and see if what you are trying to achieve may be better done elsewhere, such as in a reporting tool or the user interface.
Other articles in the PL/SQL 101 series:-
PL/SQL 101 : Understanding Ref Cursors
PL/SQL 101 : Exception Handlingexcellent article. However there is one thing which is slightly erroneous. You don't need a type to be declared in the database to fetch the data, but you do need to declare a type;
here is one of my unit test scripts that does just that.
DECLARE
PN_CARDAPPL_ID NUMBER;
v_Return Cci_Standard.ref_cursor;
type getcardapplattrval_recordtype
Is record
(cardappl_id ci_cardapplattrvalue.cardappl_ID%TYPE,
tag ci_cardapplattrvalue.tag%TYPE,
value ci_cardapplattrvalue.value%TYPE
getcardapplattrvalue_record getcardapplattrval_recordtype;
BEGIN
PN_CARDAPPL_ID := 1; --value must be supplied
v_Return := CCI_GETCUSTCARD.GETCARDAPPLATTRVALUE(
PN_CARDAPPL_ID => PN_CARDAPPL_ID
loop
fetch v_return
into getcardapplattrvalue_record;
dbms_output.put_line('Cardappl_id=>'||getcardapplattrvalue_record.cardappl_id);
dbms_output.put_line('Tag =>'||getcardapplattrvalue_record.tag);
dbms_output.put_line('Value =>'||getcardapplattrvalue_record.value);
exit when v_Return%NOTFOUND;
end loop;
END; -
Ref.Cursor Problem - URGENT
Hi Friends,
For my report ( calc.rdf ) ,
I am passing two input parameters P_Client_ID, P_Plan_ID.
In .rdf, I had a ref.cursor for selecting records based on
two input parameters values.
case1:
P_client_ID = 'SRINI'
P_Plan_ID = '3232'
My report is generating the output for plan 3232.
case2:
P_client_ID = 'SRINI'
P_Plan_ID = NULL
My report is generating the output for all plans.
case3:
P_client_ID = 'SRINI'
P_Plan_ID = '3232,3257,3259'
My report is not generating any output here.
Only blanck page i am getting.
How can i pass multiple plans to ref.cursor at a time ?
Note:
I now, we cannot make Lexical references in a PL/SQL statement.
Any other way to solve this problem ?
Thanks for Help,
sriniI think that you work with 'static' ref cursor.
From Oracle 8.1.5, we can use 'dynamic' ref cursors.
With 'dynamic' ref cursor we can avoid the use of lexical parameters in Reports 3.0 / 6i.
With 'static' ref cursor this is not possible in all cases.
For example, if we need dynamic WHERE, we practically can't use 'static' ref cursor.
Example for 'dynamic' ref cursor (dynamic WHERE)
1. Stored package
CREATE OR REPLACE PACKAGE report_dynamic IS
TYPE type_ref_cur_sta IS REF CURSOR RETURN dept%ROWTYPE; -- for Report Layout only
TYPE type_ref_cur_dyn IS REF CURSOR;
FUNCTION func_dyn (p_where VARCHAR2) RETURN type_ref_cur_dyn;
END;
CREATE OR REPLACE PACKAGE BODY report_dynamic IS
FUNCTION func_dyn (p_where VARCHAR2) RETURN type_ref_cur_dyn IS
l_ref_cur_dyn type_ref_cur_dyn;
BEGIN
OPEN l_ref_cur_dyn FOR
'SELECT * FROM dept WHERE ' || NVL (p_where, '1 = 1');
RETURN l_ref_cur_dyn;
END;
END;
2.2 Query PL/SQL in Reports
function QR_1RefCurQuery return report_dynamic.type_ref_cur_sta is
begin
return report_dynamic.func_dyn (:p_where);
end;
Note that Oracle Reports 3.0 / 6i needs 'static' ref cursor type for building Report Layout.
So, in package specification we must have both ref cursor types, static for Report Layout
and dynamic for ref cursor query.
Regards
Zlatko Sirotic -
Hi,
If anybody know how to execute function which has ref cursor type.
Can I call that function in my select statement in query.
Function is using week ref cursor type and id as IN parameter.
Thans for you help in advance.You can use a function returning a ref cursor in SQL, the output is nested cursor though.
SQL> create or replace function f
2 return sys_refcursor
3 as
4 c sys_refcursor;
5 begin
6 open c for
7 select * from emp where deptno = 10;
8 return c;
9 end;
10 /
Function created.
SQL> select f from dual;
F
CURSOR STATEMENT : 1
CURSOR STATEMENT : 1
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
7782 CLARK MANAGER 7839 06-09-1981 2450 10
7839 KING PRESIDENT 11-17-1981 5000 10
7934 MILLER CLERK 7782 01-23-1982 1300 10
SQL> -
Hi,
I want to use rowid for updating the rows in the ref cursor. My code looks like below:
DECLARE
emp_refcursor SYS_REFCURSOR;
emp_rec employee%ROWTYPE;
l_run_id NUMBER;
lv_sql_stmt VARCHAR2(4000) := 'SELECT a.* FROM employee a where a.run_id = :l_run_id ';
OPEN emp_refcursor FOR lv_sql_stmt
USING l_run_id;
LOOP
FETCH emp_refcursor
INTO emp_rec;
EXIT WHEN emp_refcursor%NOTFOUND;
Here in lv_sql_stmt I want to include the rowid also so that I can use the update statement with the rowid. I cant directly add the rowid in the query as I am fetching the records in emp_rec which is of the rowtype of table EMPLOYEE.
I want to use rowid for making the fetching of records faster.
Please suggest e some ways to implement it.
Thanks.
Edited by: user12841217 on Mar 23, 2010 12:12 AMuser12841217 wrote:
Hi,
I want to use rowid for updating the rows in the ref cursor.There are no rows in a ref cursor. Read the following:
PL/SQL 101 : Understanding Ref Cursors :-
PL/SQL 101 : Understanding Ref Cursors
My code looks like below:
DECLARE
emp_refcursor SYS_REFCURSOR;
emp_rec employee%ROWTYPE;
l_run_id NUMBER;
lv_sql_stmt VARCHAR2(4000) := 'SELECT a.* FROM employee a where a.run_id = :l_run_id ';
OPEN emp_refcursor FOR lv_sql_stmt
USING l_run_id;
LOOP
FETCH emp_refcursor
INTO emp_rec;
EXIT WHEN emp_refcursor%NOTFOUND;
Here in lv_sql_stmt I want to include the rowid also so that I can use the update statement with the rowid. I cant directly add the rowid in the query as I am fetching the records in emp_rec which is of the rowtype of table EMPLOYEE.
I want to use rowid for making the fetching of records faster.
Please suggest e some ways to implement it. This sounds like half of the requirement. If you're already fetching the rows using your ref cursor, then why would you need the rowid to fetch them again?
If you really need to include rowid in your query then you're going to have to fetch into a known defined structure rather than employee%ROWTYPE. This is what we call in the business... "design", which is usually based on "requirements". Know your requirements and implement a suitable design accordingly. A good design would seldom be selecting "*" within any query, as a good design would actually know what data is expected to be fetched. -
REF cursor with special characters
Hi all,
I want to display the record set using ref cursor. I am passing varchar field as parameter. How to give this in where cluase of select statement.
i want to use like %parameter_name% in where condition. How to use it in ref cursor.
Thanks in advance,
Paluser546710 wrote:
Hi all,
I want to display the record set using ref cursor. I am passing varchar field as parameter. How to give this in where cluase of select statement.
i want to use like %parameter_name% in where condition. How to use it in ref cursor.
Thanks in advance,
PalWhy using a ref cursor? Do you understand the purpose of ref cursors and how to use them?
Perhaps take a read of the following to get to grips with the basics...
PL/SQL 101 : Understanding Ref Cursors
PL/SQL 101 : Understanding Ref Cursors -
ORA-01008 with ref cursor and dynamic sql
When I run the follwing procedure:
variable x refcursor
set autoprint on
begin
Crosstab.pivot(p_max_cols => 4,
p_query => 'select job, count(*) cnt, deptno, row_number() over (partition by job order by deptno) rn from scott.emp group by job, deptno',
p_anchor => Crosstab.array('JOB'),
p_pivot => Crosstab.array('DEPTNO', 'CNT'),
p_cursor => :x );
end;I get the following error:
^----------------
Statement Ignored
set autoprint on
begin
adsmgr.Crosstab.pivot(p_max_cols => 4,
p_query => 'select job, count(*) cnt, deptno, row_number() over (partition by
p_anchor => adsmgr.Crosstab.array('JOB'),
p_pivot => adsmgr.Crosstab.array('DEPTNO', 'CNT'),
p_cursor => :x );
end;
ORA-01008: not all variables bound
I am running this on a stored procedure as follows:
create or replace package Crosstab
as
type refcursor is ref cursor;
type array is table of varchar2(30);
procedure pivot( p_max_cols in number default null,
p_max_cols_query in varchar2 default null,
p_query in varchar2,
p_anchor in array,
p_pivot in array,
p_cursor in out refcursor );
end;
create or replace package body Crosstab
as
procedure pivot( p_max_cols in number default null,
p_max_cols_query in varchar2 default null,
p_query in varchar2,
p_anchor in array,
p_pivot in array,
p_cursor in out refcursor )
as
l_max_cols number;
l_query long;
l_cnames array;
begin
-- figure out the number of columns we must support
-- we either KNOW this or we have a query that can tell us
if ( p_max_cols is not null )
then
l_max_cols := p_max_cols;
elsif ( p_max_cols_query is not null )
then
execute immediate p_max_cols_query into l_max_cols;
else
RAISE_APPLICATION_ERROR(-20001, 'Cannot figure out max cols');
end if;
-- Now, construct the query that can answer the question for us...
-- start with the C1, C2, ... CX columns:
l_query := 'select ';
for i in 1 .. p_anchor.count
loop
l_query := l_query || p_anchor(i) || ',';
end loop;
-- Now add in the C{x+1}... CN columns to be pivoted:
-- the format is "max(decode(rn,1,C{X+1},null)) cx+1_1"
for i in 1 .. l_max_cols
loop
for j in 1 .. p_pivot.count
loop
l_query := l_query ||
'max(decode(rn,'||i||','||
p_pivot(j)||',null)) ' ||
p_pivot(j) || '_' || i || ',';
end loop;
end loop;
-- Now just add in the original query
l_query := rtrim(l_query,',')||' from ( '||p_query||') group by ';
-- and then the group by columns...
for i in 1 .. p_anchor.count
loop
l_query := l_query || p_anchor(i) || ',';
end loop;
l_query := rtrim(l_query,',');
-- and return it
execute immediate 'alter session set cursor_sharing=force';
open p_cursor for l_query;
execute immediate 'alter session set cursor_sharing=exact';
end;
end;
/I can see from the error message that it is ignoring the x declaration, I assume it is because it does not recognise the type refcursor from the procedure.
How do I get it to recognise this?
Thank you in advanceThank you for your help
This is the version of Oracle I am running, so this may have something to do with that.
Oracle9i Enterprise Edition Release 9.2.0.8.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.8.0 - Production
I found this on Ask Tom (http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:3027089372477)
Hello, Tom.
I have one bind variable in a dynamic SQL expression.
When I open cursor for this sql, it gets me to ora-01008.
Please consider:
Connected to:
Oracle8i Enterprise Edition Release 8.1.7.4.1 - Production
JServer Release 8.1.7.4.1 - Production
SQL> declare
2 type cur is ref cursor;
3 res cur;
4 begin
5 open res for
6 'select * from (select * from dual where :p = 1) connect by 1 = 1'
7 using 1;
8 end;
9 /
declare
ERROR at line 1:
ORA-01008: not all variables bound
ORA-06512: at line 5
SQL> declare
2 type cur is ref cursor;
3 res cur;
4 begin
5 open res for
6 'select * from (select * from dual where :p = 1) connect by 1 = 1'
7 using 1, 2;
8 end;
9 /
PL/SQL procedure successfully completed.
And if I run the same thing on 10g -- all goes conversely. The first part runs ok, and the second
part reports "ORA-01006: bind variable does not exist" (as it should be, I think). Remember, there
is ONE bind variable in sql, not two. Is it a bug in 8i?
What should we do to avoid this error running the same plsql program code on different Oracle
versions?
P.S. Thank you for your invaluable work on this site.
Followup June 9, 2005 - 6pm US/Eastern:
what is the purpose of this query really?
but it would appear to be a bug in 8i (since it should need but one). You will have to work that
via support. I changed the type to tarray to see if the reserved word was causing a problem.
variable v_refcursor refcursor;
set autoprint on;
begin
crosstab.pivot (p_max_cols => 4,
p_query =>
'SELECT job, COUNT (*) cnt, deptno, ' ||
' ROW_NUMBER () OVER ( ' ||
' PARTITION BY job ' ||
' ORDER BY deptno) rn ' ||
'FROM emp ' ||
'GROUP BY job, deptno',
p_anchor => crosstab.tarray ('JOB'),
p_pivot => crosstab.tarray ('DEPTNO', 'CNT'),
p_cursor => :v_refcursor);
end;
/Was going to use this package as a stored procedure in forms but I not sure it's going to work now. -
Ref cursors and dynamic sql..
I want to be able to use a fuction that will dynamically create a SQL statement and then open a cursor based on that SQL statement and return a ref to that cursor. To achieve that, I am trying to build the sql statement in a varchar2 variable and using that variable to open the ref cursor as in,
open l_stmt for refcurType;
where refcurType is a strong ref cursor. I am unable to do so because I get an error indication that I can not use strong ref cursor type. But, if I can not use a strong ref cursor, I will not be able to use it to build the report based on the ref cursor because Reports 9i requires strong ref cursors to be used. Does that mean I can not use dynamic sql with Reports 9i ref cursors? Else, how I can do that? Any documentation available?Philipp,
Thank you for your reply. My requirement is that, sometimes I need to construct a whole query based on some input, and sometimes not. But the output record set would be same and the layout would be more or less same. I thought ref cursor would be ideal. Ofcourse, I could do this without dynamic SQL by writing the SQL multiple times if needed. But, I think dynamic SQL is a proper candidate for this case. Your suggestion to use lexical variable is indeed a good alternative. In effect, if needed, I could generate an entire SQL statement and place in some place holder (like &stmt) and use it as a static SQL query in my data model. In that case, why would one ever need ref cursor in reports? Is one more efficient over the other? My guess is, in the lexical variable case, part of the processing (like parsing) is done on the app server while in a function based ref cursor, the entire process takes place in the DB server and there is probably a better chance for re-use(?)
Thanks,
Murali. -
Hi..
I'm using a ref cursor query to fetch data for a report and works just fine. However i need to use dynamic sql in the query because the columns used in the where condition and for some calculations may change dynamically according to user input from the form that launches the report..
Ideally the query should look like this:
select
a,b,c
from table
where :x = something
and :y = something
and (abs(:x/:y........)
The user should be able to switch between :x and :y
Is there a way to embed dynamic sql in a ref cursor query in Reports 6i?
Reports 6i
Forms 6i
Windows 2000 PROHello Nicola,
You can parameterize your ref cursor by putting the query's select statement in a procedure/function (defined in your report, or in the database), and populating it based on arguments accepted by the procedure.
For example, the following procedure accepts a strongly typed ref cursor and populates it with emp table data based on the value of the 'mydept' input parameter:
Procedure emp_refcursor(emp_data IN OUT emp_rc, mydept number) as
Begin
-- Open emp_data for select all columns from emp where deptno = mydept;
Open emp_data for select * from emp where deptno = mydept;
End;
This procedure/function can then be called from the ref cursor query program unit defined in your report's data model, to return the filled ref cursor to Reports.
Thanks,
The Oracle Reports Team. -
Report using ref cursor or dynamic Sql
Hi,
I never create a report using a ref cursor or a dynamic sql. Could any one help me to solve the below issue.
I have 2 tables.
1. Student_Record
2. Student_csv_help
Student_Record the main table where the data is stored.
Student_csv_help will contain the all the column names of the Student_record.
CREATE TABLE Student_CSV_HELP
ENTRY_ID NUMBER,
RAW_NAME VARCHAR2(40 BYTE),
DESC_NAME VARCHAR2(1000 BYTE),
IN_OUTPUT_LIST VARCHAR2(1 BYTE)
SET DEFINE OFF;
Insert into TOA_CSV_HELP
(ENTRY_ID, RAW_NAME, DESC_NAME, IN_OUTPUT_LIST)
Values
(1, 'S_ID', 'Student ID', 'Y');
Insert into TOA_CSV_HELP
(ENTRY_ID, RAW_NAME, DESC_NAME, IN_OUTPUT_LIST)
Values
(2, 'S_Name', 'Student Name', 'Y');
Insert into TOA_CSV_HELP
(ENTRY_ID, RAW_NAME, DESC_NAME, IN_OUTPUT_LIST)
Values
(3, 'S_Join_date', 'Joining Date', 'Y');
Insert into TOA_CSV_HELP
(ENTRY_ID, RAW_NAME, DESC_NAME, IN_OUTPUT_LIST)
Values
(4, 'S_Address', 'Address', 'Y');
Insert into TOA_CSV_HELP
(ENTRY_ID, RAW_NAME, DESC_NAME, IN_OUTPUT_LIST)
Values
(5, 'S_Fee', 'Tution Fee', 'N');
commit;
CREATE TABLE Student_record
S_ID NUMBER,
S_Name VARCHAR2(100 BYTE),
S_Join_date date,
S_Address VARCHAR2(360 BYTE),
S_Fee Number
Insert into Student_record
(S_ID, S_Name, S_Join_date, S_Address,S_Fee)
Values
(101, 'john', TO_DATE('12/17/2009 08:00:00', 'MM/DD/YYYY HH24:MI:SS'), 'CA-94777', 2000);
Insert into Student_record
(S_ID, S_Name, S_Join_date, S_Address,S_Fee)
Values
(102, 'arif', TO_DATE('12/18/2009 08:00:00', 'MM/DD/YYYY HH24:MI:SS'), 'CA-94444', 3000);
Insert into Student_record
(S_ID, S_Name, S_Join_date, S_Address,S_Fee)
Values
(103, 'raj', TO_DATE('12/19/2009 08:00:00', 'MM/DD/YYYY HH24:MI:SS'), 'CA-94555', 2500);
Insert into Student_record
(S_ID, S_Name, S_Join_date, S_Address,S_Fee)
Values
(104, 'singh', TO_DATE('12/20/2009 08:00:00', 'MM/DD/YYYY HH24:MI:SS'), 'CA-94666', 2000);
Commit;
Now my requirement is:
I have a form with Student_record data block. When i Click on print Button on this form. It will open another window which has Student_CSV_HELP.DESC_NAME and a check box before this.
The window look like as below:
check_box DESC_NAME+
X S_ID+
-- S_Name+
X S_Join_date+
X S_Address+
-- S_Fee+
X means check box checked.+
-- means check box Unchecked.+
After i selected these check boxes i will send 2 parameters to the report server
1. a string parameter to the report server which has the value 'S_ID,S_Join_date,S_Address' (p_column_name := 'S_ID,S_Join_date,S_Address');
2. the s_id value from the student_record block (p_S_id := '101');
Now my requirement is when i click on run. I need a report like as below:
Student ID : 101+
Joining Date : 12/17/2009 08:00:00+
Address : CA-94777+
This is nothing but the ref cursor should run like as below:
Select S_id from student_record block S_id = :p_S_id;
Select S_Join_date from student_record block S_id = :p_S_id;
Select S_Address from student_record block S_id = :p_S_id;
So, according to my understanding i have to select the columns at the run time. I dont have much knowledge in creating reports using ref cursor or dynamic sql.
So please help me to solve this issue.
Thanks in advance.Plain sql should satisfy your need. Try ....
Select S_id, S_Join_date, S_Address
from student_record
where S_id = :p_S_id -
An issue with Dynamic SQL within Package using REF CURSOR
Hi there,
In the following package first two procedures works file but since I have added the third one ( GET_CONTRACT_BY_DYN_SQL) it does not work for me. When I try to compile and save it gives below error.
"Error(6,15): PLS-00323: subprogram or cursor 'GET_CONTRACT_BY_DYN_SQL' is declared in a package specification and must be defined in the package body"
Can you please help?
Package Header
create or replace
PACKAGE CONTRACTS_PKG AS
TYPE T_CURSOR IS REF CURSOR;
PROCEDURE GET_CONRACTS (IO_CURSOR IN OUT T_CURSOR);
PROCEDURE GET_CONTRACT_BY_ID (I_CONTRACTID IN NUMBER, IO_CURSOR IN OUT T_CURSOR);
PROCEDURE GET_CONTRACT_BY_DYN_SQL(P_CONTRATID IN NUMBER, P_COLS IN VARCHAR2, IO_CURSOR IN OUT T_CURSOR);
END CONTRACTS_PKG;
Package Body
create or replace
PACKAGE BODY CONTRACTS_PKG AS
-- Get All Contracts
PROCEDURE GET_CONRACTS(IO_CURSOR IN OUT T_CURSOR)
IS
V_CURSOR T_CURSOR;
BEGIN
OPEN V_CURSOR FOR
SELECT * FROM CONTRACTS;
IO_CURSOR := V_CURSOR;
END GET_CONRACTS;
-- Get Contract By ID
PROCEDURE GET_CONTRACT_BY_ID(I_CONTRACTID IN NUMBER, IO_CURSOR IN OUT T_CURSOR)
IS
V_CURSOR T_CURSOR;
BEGIN
OPEN V_CURSOR FOR
SELECT * FROM CONTRACTS WHERE contract_id = I_CONTRACTID;
IO_CURSOR := V_CURSOR;
END GET_CONTRACT_BY_ID;
-- Get Contract Using Dynamic SQL
PROCEDURE GET_CONTRACT_BY_DYN_SQL(P_CONTRACTID IN NUMBER, P_COLS IN VARCHAR2, IO_CURSOR IN OUT T_CURSOR)
IS
V_CURSOR T_CURSOR;
V_SQL VARCHAR2(200);
BEGIN
V_SQL := 'SELECT '|| P_COLS || ' FROM CONTRACTS WHERE contract_id = ' || P_CONTRACTID ;
--OPEN V_CURSOR FOR
--EXECUTE IMMEDIATE V_SQL INTO V_CURSOR;
OPEN V_CURSOR FOR V_SQL;
EXECUTE IMMEDIATE V_SQL;
--IO_CURSOR := V_CURSOR;
END GET_CONTRACT_BY_DYN_SQL;
END CONTRACTS_PKG;
Thanks in advance.
HiteshThanks guys. Finally I have tweaked as per your suggestions and it's working for all 3 cases (stored procedures).
Oracle
======
Package Header
create or replace
PACKAGE CONTRACTS_PKG AS
TYPE T_CURSOR IS REF CURSOR;
PROCEDURE GET_CONRACTS (IO_CURSOR IN OUT T_CURSOR);
PROCEDURE GET_CONTRACT_BY_ID (I_CONTRACTID IN NUMBER, IO_CURSOR IN OUT T_CURSOR);
PROCEDURE GET_CONTRACT_BY_DYN_SQL(P_CONTRACTID IN NUMBER, P_COLS IN VARCHAR2, IO_CURSOR IN OUT T_CURSOR);
END CONTRACTS_PKG;
Package Body
create or replace
PACKAGE BODY CONTRACTS_PKG AS
-- Get All Contracts
PROCEDURE GET_CONRACTS(IO_CURSOR IN OUT T_CURSOR)
IS
V_CURSOR T_CURSOR;
BEGIN
OPEN V_CURSOR FOR
SELECT * FROM CONTRACTS;
IO_CURSOR := V_CURSOR;
END GET_CONRACTS;
-- Get Contract By ID
PROCEDURE GET_CONTRACT_BY_ID(I_CONTRACTID IN NUMBER, IO_CURSOR IN OUT T_CURSOR)
IS
V_CURSOR T_CURSOR;
BEGIN
OPEN V_CURSOR FOR
SELECT * FROM CONTRACTS WHERE contract_id = I_CONTRACTID;
IO_CURSOR := V_CURSOR;
END GET_CONTRACT_BY_ID;
-- Get Contract Using Dynamic SQL
PROCEDURE GET_CONTRACT_BY_DYN_SQL(P_CONTRACTID IN NUMBER, P_COLS IN VARCHAR2, IO_CURSOR IN OUT T_CURSOR)
IS
V_CURSOR T_CURSOR;
V_SQL VARCHAR2(200);
BEGIN
IF p_contractid > 0 THEN
V_SQL := 'SELECT '|| P_COLS || ' FROM CONTRACTS WHERE contract_id = ' || P_CONTRACTID ;
ELSE
V_SQL := 'SELECT '|| P_COLS || ' FROM CONTRACTS';
END IF;
OPEN V_CURSOR FOR V_SQL;
IO_CURSOR := V_CURSOR;
END GET_CONTRACT_BY_DYN_SQL;
END CONTRACTS_PKG;
ColdFusion (calling app code)
=====================
<cfstoredproc procedure="CONTRACTS_PKG.GET_CONTRACT_BY_ID" datasource="#REQUEST.dsn#">
<cfprocparam cfsqltype="CF_SQL_INTEGER" type="in" value="1" variable="I_CONTRACTID">
<cfprocresult name="qData" resultset="1">
</cfstoredproc>
<br>Single Contract:
<cfdump var="#qData#" label="Single Contract">
<cfstoredproc procedure="CONTRACTS_PKG.GET_CONRACTS" datasource="#REQUEST.dsn#">
<cfprocresult name="qDataAll" resultset="1">
</cfstoredproc>
<br>All Contracts:
<cfdump var="#qDataAll#" label="All Contracts">
<cfstoredproc procedure="CONTRACTS_PKG.GET_CONTRACT_BY_DYN_SQL" datasource="#REQUEST.dsn#">
<cfprocparam cfsqltype="CF_SQL_INTEGER" type="in" value="1" variable="P_CONTRACTID">
<cfprocparam cfsqltype="CF_SQL_VARCHAR" type="in" value="contract_number,contract_title,created_date" variable="P_COLS">
<cfprocresult name="qDataDynSQL" resultset="1">
</cfstoredproc>
<br>Dynamic SQL Query:
<cfdump var="#qDataDynSQL#" label="Dynamic SQL Query">
Thanks,
Hitesh Patel
Maybe you are looking for
-
I tried to download a movie on my iPad but it didn't work... Is there some way I can access it on my computer now to download it? When I go to purchases in my iTunes it doesn't come up :-/
-
Hi All, When I run the standard EE01 Report (S_AHR_61016152) I am getting an error log of: Record could not be found. t5ueeo Z$$000001 2010 17 Record could not be found, t5uee0 Z$$000001 2011 17 I have setup variant. This error is showing up on all o
-
Crosstab Report in JDeveloper 10.1.3.3
Hi, I am new to JDeveloper. I am looking to develop an crosstab report in JDeveloper. I have managed to get this working in Discoverer using a Discoverer Crosstab report, but I cannot seem to replicate this in JDeveloper Previous versions seem to use
-
Hi, I need to add a custom button to the alv grid menu and i couldnt able to see the screen when i execute this program. Will u please tell me how to add a new button to the existing application toolbar of the ALV grid. I had tried this code but coul
-
A friend has a windows ipod. I offered to transfer some stuff off my mac to his ipod. Can I do that? I might have opend my mouth early.