5.2 Format Oracle Identifiers |
||||||||||||
To use DBMS_ASSERT effectively, you need to understand how Oracle identifiers can be specified and used.
In a SQL statement, you specify an object name with an unquoted or a quoted identifier. The object name may be used as an identifier:
or as a literal:
Notice that the two queries above access the same table. In contrast, the statement below uses a quoted (normal format) identifier and references a different table:
SQL injection attacks can use the quoted method to attempt to subvert code that has been written to expect only the unquoted, more common, method.
|