Greg wrote:
> Can you actually use dbms_sql to do something like
>
> SELECT DBMS_SQL.SOME_FUNCTION('sql query string') FROM DUAL
>
> ?
>
> As far as I know one can only use certain functions in SELECT queries.
> Is there a way to use procedures?
>
> I don't care about scalar subqueries.
>
> I am researching a potential vulnerability via functions that take
> string sql queries as argument (standard oracle functions if any or any
> functions from packages that could be used in an SQL query). owa_util
> might be something interesting to look into.
>
> Thank you,
> Greg
>
> Mark C. Stock wrote:
>
>>"Greg" <gregclau_at_yahoo.com> wrote in message
>>news:1123342310.229369.148160_at_g47g2000cwa.googlegroups.com...
>>
>>>Actually there are a few XML functions in DBMS_XMLGEN that take in only
>>>SELECT queries but I was wondering if there are any other outside of
>>>those.
>>>Thanks,
>>>Greg
>>>
>>
>>most folks don't think of Oracle supplied packages when the subject is
>>oracle functions
>>
>>the packages dbms_sql and owa_util also handel dynamic sql
>>
>>can you describe what you're trying to accomplish?
>>
>>your previous example:
>>
>> SELECT FUNCTION('SELECT COLUMN FROM TABLE') FROM TABLE
>>
>>could just be written as a scalar subquery, ie:
>>
>> select
>> ename
>> , deptno
>> , (select sum(sal)
>> from emp e2
>> where e2.deptno = e1.deptno
>> ) as dept_sal
>> from emp e1
>> order by ename
>>
>>why do you need to pass the query as a string, and under what circumstances?
>>
>>++ mcs
>
>
SELECT ENAME,CURSOR(SELECT EMPNO FROM EMP) FROM EMP;
Note that the cursor query here is not a string.
Received on Mon Aug 08 2005 - 01:16:23 CDT
