If one writes utility programs that take typically a table_name and a schema_name and one uses execute immediate then it
is not using bind variables and subject to sql injection. So what should I do to cleanse table_name and schema_name?
I see that names of tables are way more flexible than I thought:
http://docs.oracle.com/cd/B28359_01/server.111/b28286/sql_elements008.htm#SQLRF51109
Well we aren't doing quoted identifiers around here for our tables we created so I'm thinking of going for it in terms of
cleansing those parameters in utility programs solely designed to work on our creations. As a very legacy type, I would not create a table name that was not A-Z 0-9 and _ Unfortunately I totally forgot how to write a regex or whatever to get rid of anything not in A-Z 0-9 and _ .
Anyone care to remind me? (I never was good at regex :-( I know, dumb question...