how to pass a variable in WHERE IN clause of oracle sql?

前端未结

关注

 3  963

一向 2021-01-13 06:10

Hi
I have a variable $1 which hold comma separated email addresses like john@example.com,pat@example.com . I wish to pass this variable in a where clause like

3条回答

春和景丽 (楼主)

2021-01-13 07:04

It's not pretty, but you can achieve a 100% one-step SQL injection-proof solution like this. You plug in the "criteria" CTE to your query, which parses the comma-sperated list into a table. Then you can use it in an in query like "where column in (select item from criteria)":

with criteria as
(
    select
        substr(criteria_list, item_start, item_length) as item
    from
    (
        select
            criteria_list,
            comma_pos + 1 as item_start,
            nvl(next_comma_pos - 1, length(criteria_list)) - comma_pos as item_length
        from
        (
            select
                criteria_list,
                comma_pos,
                lead(comma_pos) over(order by comma_pos) as next_comma_pos
            from
            (
                select
                    $1 as criteria_list,
                    instr($1, ',', 1, level) as comma_pos
                from
                    dual
                connect by
                    instr($1, ',', 1, level) > 0 and instr($1, ',', 1, level) <= instr($1, ',', -1)
                union all
                select
                    $1,
                    0
                from
                    dual
            )
        )
    )
)
select * from some_table where column in (select item from criteria)

0 讨论(0)

查看其它3个回答