I need to build insanely flexible stored procedures for internal users that know what they’re doing. These are folks that live in an SQL*Plus window all day who will suddenly be forced to use web forms.

These users will be provided a form, created by inspecting procedure metadata, where they’ll be able to execute stored procedures that look like this:

create or replace 
PROCEDURE DEV_UPDATE_TABLE_FOO 
(
  SET_FIELD IN VARCHAR2  
, SET_VALUE IN VARCHAR2  
, WHERE_CLAUSE IN VARCHAR2   
) AS 
BEGIN
  UPDATE foo
  SET <SET_FIELD>=<SET_VALUE>
  where <WHERE_CLAUSE>;
END DEV_UPDATE_TABLE_FOO;

With some quick searching, I’m not seeing that this is possible w/o causing problems with the “provided a form, created by inspecting procedure metadata” part of the problem.

SQL injection is basically encouraged. Meaning, we want these folks to be able to update a single field of their choice with a value of their choice, with a set clause that they create. They’ll have to quote strings where the value is VARCHAR2, etc.

Yet all that’s available to the UI that will draw the form is metadata. Other stored procedures will be more static and sensible. Those are easy.

Any ideas? The obvious answer is “just let them have access to sql*plus, or sqldeveloper, etc. Not possible unfortunately.

Thanks in advance…