What If You Cannot Use Bind Variables?

previous|next

Although you should strive to use bind arguments with all dynamic SQL and PL/SQL statements, there are instances where bind arguments cannot be used:

DDL statements (such as CREATE, DROP, and ALTER)
Oracle identifiers (such as names of columns, tables, schemas, database links, packages, procedures, and functions)

If bind arguments cannot be used with the dynamic SQL or PL/SQL, you must filter and sanitize all input concatenated to the dynamic statement.

In the next lesson, you learn how to use the Oracle-supplied DBMS_ASSERT package functions to filter and sanitize input values.