Share this post! | Vote this! |
|
It is possible to create dynamic SQL on the fly, you have two
architectures that apply in both cases, you can glue strings together or
you can implement placeholders. The gluing of strings is susceptible to
SQL injection attacks, implementing placeholders (bind variables) makes
your dynamic SQL immune to these attacks. They act as formal parameters
to dynamic statements.
The process of running a dynamic statement involves four steps:
The process of running a dynamic statement involves four steps:
- First, the statement is parsed
- Second, the statement with placeholders map the actual parameters to the formal parameters.
- Third, it executes the statement
- Fourth, it returns values to the calling statement
0 comments:
Post a Comment