Tuesday, October 6, 2015

Execute any SQL statement from within a Application Express app? Sure, why not? Um.....

Received this question today:
We are planning to develop  a product with APEX and is it possible to  execute free sql inside an apex application? I mean is it possible to have a SQL execution window inside the APEX application like we execute inside an Oracle SQL developer?

Sure, why not? 

Well, actually, there are all sorts of reasons "why not", right?

But, yes, it is certainly technically possible to do this - and not very difficult. 
  • Create a page in Application Express.
  • Add a Text Area item and give your users lots of room to write lots of SQL. 
  • Add an Execute button.
  • Create a process that fires on that button, and contains code like this:
      BEGIN
         EXECUTE IMMEDIATE :P1000_your_sql;
      END;

Then your users will then be able to do all sorts of things:
  • Create a new table (!)
  • Truncate an existing table (!!)
  • Set values of columns to NULL (!!!)
  • etc.
They will not be able to:
  • Execute a SELECT and see the results. For that you need an INTO clause.
  • Execute a DML statement that requires bind variables. For that you need a USING clause (or concatenation).
But they will be able to screw up your application really well!

So, seriously, you do NOT want to do that! 

Suppose, however, that you wanted to let a power user execute an ad-hoc single value query and see the result? In that case, something like this might almost be reasonable:

DECLARE
   value_out VARCHAR2(32767);
BEGIN
   EXECUTE IMMEDIATE :P1000_your_sql INTO value_out;

   ROLLBACK;

   :P1000_your_sql := value_out;
END;

The INTO clause means that you must execute a single-value, single-row select.

The ROLLBACK ensures that any changes you try to sneak in will be rolled back....well, unless your power user has truly super powers and was able to previously create an autonomous transaction function and then call it in the query.

But if you've got a user who can do that, you've got bigger problems than anything I can address in this somewhat tongue-in-cheek post!

3 comments:

  1. Very Clear Explanation, That solved my problem too, Thank You Steven Feuerstein

    ReplyDelete
  2. Very Clear Explanation, That solved my problem too, Thank You Steven Feuerstein

    ReplyDelete
  3. Thank You Steven Feuerstein For sharing an important information

    ReplyDelete