Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Sanitizing user input using DBMS_ASSERT

MatthiasHoysJun 25 2009 — edited Jun 26 2009
Hello,

I am developing a number of search input forms where the search SQL string is dynamically constructed in PL/SQL using dynamic SQL.
I now want to create a function to sanitize the user input strings to avoid SQL injection.

I tried using DBMS_ASSERT.simple_sql_name and this seems to work fine for character strings, but it also raises an error on strings starting with a number (for example: SELECT dbms_assert.simple_sql_name('123TEST')
FROM dual), and this is not what I want.

Is there another solution for this except writing my own function?


Thanks,
Matthias
This post has been answered by 557616 on Jun 25 2009
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jul 24 2009
Added on Jun 25 2009
#apex-discussions
10 comments
2,932 views