oracle-apexoracle-apex-23
Interactive Report with dynamic sql and binded variables (sql injection)
I am building an Interactive Report. Source Type is Function Body returning SQL Query. And below is my query which is prone to sql injection. How can i bind variables here?
declare
vsql varchar2(4000);
begin
vsql := 'SELECT Name FROM Customers WHERE 1 = 1 ';
--# There are other checks as well for both SELECT and WHERE which are making this query dynamic
if :P1_NAME is not null then
vsql := vsql || ' AND UPPER(NAME) LIKE Upper('%''' || :P1_NAME || '%'')';
end if;
return vsql;
end;
Solution
Here is how I would do it. The example below has dynamic table and a variable in the where clause using LIKE.
The idea is to sanitize the table name (or any other sql objects) using DBMS_ASSERT.SQL_OBJECT_NAME and use bind variables where possible. So the generated query will still have bind variable substitution.
The double %% is needed because % is a special character in the apex_string.format function:
DECLARE
l_query varchar2(4000);
l_table_name varchar2(400);
BEGIN
l_table_name := DBMS_ASSERT.sql_object_name(NVL(:P142_TABLE_NAME,'EMP'));
l_query :=
q'!select
EMPNO,
ENAME
from
%0
where
ENAME LIKE '%%'||:P142_EMPLOYEE_NAME||'%%'!';
l_query := apex_string.format(l_query,l_table_name);
return(l_query);
END;
query in debug:
- Display user friendly error message while logging SQL error into debugger
- Report Queries in data dictionary APEX
- plsql select with conditional stateful colors
- Oracle Apex - How to prevent escape HTML in e-mail templates?
- Oracle Apex: ORA-24344 Success with compilation error
- How to select today date and time in date picker field by default
- Oracle Apex passing item results from a Select list to another Select list on the same page
- How can I prevent add duplicate items to APEX_COLLECTION
- Oracle Apex Server-side Code do not set item
- How to Show the History Details of Oracle Apex Application Changes?
- Conditionally Formatting background color for Interactive Report Cells of type link
- Custom Event not triggered on Modal Dialog Page
- Exporting Combined Data from Multiple SQL Queries into a Single CSV Report in Oracle APEX
- setting a datetime into global application item
- Why I got error Ajax call returned server error ORA-01422: exact fetch returns more than requested number of rows for ajax_dispatch_request.?
- Populating Form Items with Values from an Uploaded CSV File in Oracle APEX
- Oracle Apex Change date picker format
- Select a row in a IG when dialog closed
- Set page item with value from interactive grid column when clicking on the grid region
- Can't disable session state protection on Oracle APEX 18.1.0.00.45 for Dynamic Actions updating Page Items
- Authentication scheme subscription gets lost on deployment of Apex applications
- Is there a way to modify the Rich Text Editor toolbar in an apex application when the editor is in a column inside an interactive grid?
- Oracle APEX - What is source of "Request" in "Request is contained in Value"
- Custom user attributes in Oracle Apex / User-specific filtering based on attributes
- Oracle APEX Dynamic Action call to package throwing error "ORA-06550: line 11, column 19: PLS-00302: component 'GET_EMP_INFO' must be declared"
- Maximizing a region using jQuery
- How to Handle Large REST API Responses in Oracle APEX Exceeding Page Item Character Limits
- Oracle SQL Insert Trigger to Handle Duplicate Contacts and Update Owner Field
- Oracle Apex page process calling stored procedure not working
- How can I keep anonymous user account perpetually open on Apex 19.2 running on Oracle DB 21c XE?