问题
We have a program that allows users to map raw unmodified input data to a standardized final table.
In general it's a simple one-to-one match without any special logic needed.
For example; raw_table.raw_col_1 will map to final_table.col_1, raw_table.raw_col_2 will map to final_table.col_2, etc.
However, one customer wants the ability to have final_table.col_3 to be mapped as follows:
case
when (raw_col_1 = 'S12' and raw_col_2 = 'D18') or raw_col_3 is not null then raw_col_3
else 'GF17'
end
Other similar requests are there as well.
I can easily achieve this using dynamic SQL when loading the final_table. However, that leaves us open to SQL injection attacks.
Is there a way we can allow this type of custom field mapping without resorting to dynamic SQL?
回答1:
You're getting into the area of allowing development tools to be exposed to end users at runtime - configuration at some point becomes complex enough that it requires or mimics the power of code. You have a couple of options:
1) Provide a user interface that can account for the use cases - for example a simplified query builder. And make sure that all of the individual components are validated or bound in. Whether or not this is feasible, will end on the level of complexity, and how much effort you want to put into such a user interface.
2) Provide an admin level of customization which allows customers to provide more sophisticated logic. Since this is an Oracle database, you could have them provide this as a PL/SQL function which can return the value.
The 2nd option could either be done through a user interface, or via a backend loader. However, in either case, you should make sure that the administrators understand that this is highly privileged functionality, and audit what goes in and who has access to it.
You can also configure this such a way that the package is in a limited schema has much more limited privileges (and is called with definer's rights) although the best way to do that will depend on the version of the database that you are using. 12c provides more security features in this area.
来源:https://stackoverflow.com/questions/45989603/custom-sql-column-formulas-without-dynamic-sql