oracle存储过程防止sql注入的问题。。。。。。。。。。。。。。。。。。。。。。。。。。。。
我用open cursor1 for v_sqlstring动态打开游标,那个v_sqlstring是一个查询语句,为了防止查询条件有单引号之类的特殊符号,我用replace替换掉了单引号。
但是要查询的内容有单引号,要把这条含有单引号的内容查出来的话,就查不出了,什么办???
select replace(projectname,'''','') into projectname_temp from dual;这个地方把查询条件projectname里的单引号去掉了,但是如果这个字段里的数据有单引号的话,就查不出来了。。
CREATE OR REPLACE function certificatefunction1( projectstate in int, projectname in varchar, startDateMin in varchar, startDateMax in varchar, endDateMin in varchar, endDateMax in varchar, certificateType in int, versions in varchar ) return sys_refcursoras cursor1 sys_refcursor; projectname_temp varchar(50); sqlstr varchar(2000);begin sqlstr := sqlstr || ' select pp.profile_Id,pp.name,pp.version,pp.start_Date,pp.end_Date,pci.certificate_Type '; sqlstr := sqlstr || ' from Project_Profile pp,Project_Certificate_Info pci '; sqlstr := sqlstr || ' where pp.profile_Id = pci.profile_Id '; sqlstr := sqlstr || ' and pp.status != ' || projectstate; if projectname is not null then select replace(projectname,'''','') into projectname_temp from dual; sqlstr := sqlstr || ' and pp.name like ''%' || projectname_temp || '%'''; end if; if startDateMin is not null then sqlstr := sqlstr || ' and pp.start_date >= to_date(''' || startDateMin || ''',''yyyy-mm-dd'')'; end if; if startDateMax is not null then sqlstr := sqlstr || ' and pp.start_date < to_date(''' || startDateMax || ''',''yyyy-mm-dd'')'; end if; if endDateMin is not null then sqlstr := sqlstr || ' and pp.end_date >= to_date(''' || endDateMin || ''',''yyyy-mm-dd'')'; end if; if endDateMax is not null then sqlstr := sqlstr || ' and pp.end_date <= to_date(''' || endDateMax || ''',''yyyy-mm-dd'')'; end if; if certificateType != -1 then sqlstr := sqlstr || ' and pci.certificate_Type = ' || certificateType; end if; if versions is not null then sqlstr := sqlstr || ' and pp.version like ''%' || versions || '%'''; end if; sqlstr := sqlstr || ' order by pp.profile_Id desc '; open cursor1 for sqlstr; return cursor1;end certificatefunction1;