Why Learn It? Glossary

5. Filtering Input with DBMS_ASSERT

Previous previous|next Next Page

To guard against SQL injection in applications that do not use bind arguments with dynamic SQL, you must filter and sanitize concatenated strings. The primary use case for dynamic SQL with string concatenation is when an Oracle identifier (such as table name) is unknown at code compilation time.

The DBMS_ASSERT package contains a number of functions that can be used to filter and sanitize input strings, particularly those that are meant to be used as Oracle identifiers.

Explain the various input and output formats for Oracle identifiers
Describe the DBMS_ASSERT functions
Choose the correct DBMS_ASSERT functions to use
Explain the DBMS_ASSERT usage considerations