Tell Me Glossary
 

5.2 Format Oracle Identifiers
Previous previous|next Next Page
To use DBMS_ASSERT effectively, you need to understand how Oracle identifiers can be specified and used.

In a SQL statement, you specify an object name with an unquoted or a quoted identifier.

The object name may be used as an identifier:

 

SELECT count(*) records FROM employees

or as a literal:

 

SELECT num_rows FROM user_tables
WHERE table_name = 'EMPLOYEES'

Notice that the two queries above access the same table.

In contrast, the statement below uses a quoted (normal format) identifier and references a different table:

 

SELECT count(*) records FROM "employees"

SQL injection attacks can use the quoted method to attempt to subvert code that has been written to expect only the unquoted, more common, method.

For more details on this topic, see:
Oracle® Database SQL Reference,
Schema Object Names and Qualifiers