Hi All
I have a procedure in which based on user passed value (parameter), data is selected from a table in a ref cursor.
To allow wildcard (partial text ) search, % is appended on both side of parameter while passing this parameter in WHERE clause of query with LIKE operator.
Just want to know if SQL Injection is possible in this query.
DROP TABLE test;
CREATE TABLE TEST AS SELECT object_id, object_name FROM user_objects WHERE ROWNUM < 5;
SELECT * FROM test;
COMMIT;
CREATE OR REPLACE PROCEDURE P_TEST
(
p_obj_name IN VARCHAR2
,p_obj_list OUT SYS_REFCURSOR
)
IS
BEGIN
OPEN p_obj_list
FOR
SELECT *
FROM test
WHERE object_name LIKE '%' || p_obj_name || '%'
ORDER BY object_name;
END;
/
Regards
Arun