4.2 Use Bind Arguments with Dynamic PL/SQL |
||||||||||
|
As with dynamic SQL, you should avoid constructing dynamic PL/SQL with string concatenation. The impact of SQL injection vulnerabilities in dynamic PL/SQL is even more serious than in dynamic SQL because with dynamic PL/SQL, multiple statements (such DELETE or DROP) can be batched together and injected. If you must use dynamic PL/SQL, try to use bind arguments. For example, you can rewrite this dynamic PL/SQL with concatenated string values:
into this dynamic PL./SQL with placeholders (:1, :2) using bind arguments (p_fname, p_lname):
|