Oracle Magazine, May/June 2018
Database Developer OPEN SOURCE cur con cursor statement select id name age notes from cx_ people order by age cur execute statement res cur fetchall print res SELECT SPECIFIC ROWS Now I want to see only the data for Kim I want therefore to restrict the rows returned by SELECT This is done with a WHERE clause and there are several ways to do it I could put the WHERE clause in the statement and it would work statement select id name age notes from cx_ people where name Kim However I want to choose the name at runtime and store it in a variable called person_ name I could accept the value as an argument or pass it into a function but Ill just set a variable to keep it simple It is possible to simply concatenate the value into the statement but this is very dangerous and opens the code to a SQL injection attack I wont be going into detail on SQL injection in this series but you should generally not allow end user input to be fed directly into a dynamic SQL statement A much safer way to pass external values into a SQL statement is by using bind variables with prepared statements You have a couple of different options Positional You can use a positional statement to pass in the values ORACLE MAGAZINE MAY JUNE 2018 84 cur execute select id name age notes from cx_ people where name 1 and age 2 Bob 35
You must have JavaScript enabled to view digital editions.