Home/ Questions/Q 4038690
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T12:30:14+00:00

string sqlQuery = unknown; I need to write a function which receives a sql

  • 0
string sqlQuery = "unknown";

I need to write a function which receives a sql query as parameter e.g. sqlQuery. I would like to execute it only if it is select statement and return data. In other case, if parameter sqlQuery contains delete, update or truncate, the function should return null.

I wonder if there is way to achieve this without parsing contents of parameter sqlQuery.
I would like to do this using c sharp for oracle queries.

Any tips. Thanks.

Update:

  1. This should work for all kinds of users with all privileges.
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you really have to work with a constructed string that will operate on the database, you should use the DBMS_ASSERT database package to make sure you have a pure query that’s not subject to SQL injection. There’s a nice paper on the Oracle site about that here.

    The basics are:

    • only give the minimum privileges necessary, for example only giving the user “select” as described in an earlier reply. And then only on the minimum necessary set of tables. Views are really helpful here in limiting access.
    • Use bind variables where that’s possible.
    • If you can’t use bind variables then check the purity of your statement using DBMS_ASSERT
    • 0