DBMS_ASSERT v17
The DBMS_ASSERT
package lets you sanitize and validate user input to help guard against SQL injections in applications. The following table lists the supported functions:
Function | Return type | Description |
---|---|---|
ENQUOTE_LITERAL | VARCHAR2 | Wraps a string in single quotes |
ENQUOTE_NAME | VARCHAR2 | Wraps quotation marks around a string |
NOOP | anycompatible | Returns the input value without any checking |
QUALIFIED_SQL_NAME | VARCHAR2 | Checks if the input string is a qualified SQL name |
SCHEMA_NAME | VARCHAR2 | Checks if the input string is an existing schema name |
SIMPLE_SQL_NAME | VARCHAR2 | Checks if the input string is a simple SQL name |
SQL_OBJECT_NAME | VARCHAR2 | Checks if the input string is a qualified SQL identifier of an existing SQL object |
See Examples for SQL injection for some demonstrations of how to use DBMS_ASSERT
.