5. Filtering Input with DBMS_ASSERT
To guard against SQL injection in applications that do not use bind arguments with dynamic SQL, you must filter and sanitize concatenated strings. The primary use case for dynamic SQL with string concatenation is when an Oracle identifier (such as table name) is unknown at code compilation time.
The DBMS_ASSERT package contains a number of functions that can be used to filter and sanitize input strings, particularly those that are meant to be used as Oracle identifiers.
 |
Explain the various input and output formats for Oracle identifiers |
|
Describe the DBMS_ASSERT functions |
|
Choose the correct DBMS_ASSERT functions to use |
|
Explain the DBMS_ASSERT usage considerations |