Skip to main content

Execute any SQL statement from within a Application Express app? Sure, why not? Um.....

Received this question today:
We are planning to develop  a product with APEX and is it possible to  execute free sql inside an apex application? I mean is it possible to have a SQL execution window inside the APEX application like we execute inside an Oracle SQL developer?

Sure, why not? 

Well, actually, there are all sorts of reasons "why not", right?

But, yes, it is certainly technically possible to do this - and not very difficult. 
  • Create a page in Application Express.
  • Add a Text Area item and give your users lots of room to write lots of SQL. 
  • Add an Execute button.
  • Create a process that fires on that button, and contains code like this:
      BEGIN
         EXECUTE IMMEDIATE :P1000_your_sql;
      END;

Then your users will then be able to do all sorts of things:
  • Create a new table (!)
  • Truncate an existing table (!!)
  • Set values of columns to NULL (!!!)
  • etc.
They will not be able to:
  • Execute a SELECT and see the results. For that you need an INTO clause.
  • Execute a DML statement that requires bind variables. For that you need a USING clause (or concatenation).
But they will be able to screw up your application really well!

So, seriously, you do NOT want to do that! 

Suppose, however, that you wanted to let a power user execute an ad-hoc single value query and see the result? In that case, something like this might almost be reasonable:

DECLARE
   value_out VARCHAR2(32767);
BEGIN
   EXECUTE IMMEDIATE :P1000_your_sql INTO value_out;

   ROLLBACK;

   :P1000_your_sql := value_out;
END;

The INTO clause means that you must execute a single-value, single-row select.

The ROLLBACK ensures that any changes you try to sneak in will be rolled back....well, unless your power user has truly super powers and was able to previously create an autonomous transaction function and then call it in the query.

But if you've got a user who can do that, you've got bigger problems than anything I can address in this somewhat tongue-in-cheek post!

Comments

  1. Very Clear Explanation, That solved my problem too, Thank You Steven Feuerstein

    ReplyDelete
  2. Very Clear Explanation, That solved my problem too, Thank You Steven Feuerstein

    ReplyDelete
  3. Thank You Steven Feuerstein For sharing an important information

    ReplyDelete

Post a Comment

Popular posts from this blog

Quick Guide to User-Defined Types in Oracle PL/SQL

A Twitter follower recently asked for more information on user-defined types in the PL/SQL language, and I figured the best way to answer is to offer up this blog post. PL/SQL is a strongly-typed language . Before you can work with a variable or constant, it must be declared with a type (yes, PL/SQL also supports lots of implicit conversions from one type to another, but still, everything must be declared with a type). PL/SQL offers a wide array of pre-defined data types , both in the language natively (such as VARCHAR2, PLS_INTEGER, BOOLEAN, etc.) and in a variety of supplied packages (e.g., the NUMBER_TABLE collection type in the DBMS_SQL package). Data types in PL/SQL can be scalars, such as strings and numbers, or composite (consisting of one or more scalars), such as record types, collection types and object types. You can't really declare your own "user-defined" scalars, though you can define subtypes  from those scalars, which can be very helpful from the p

The differences between deterministic and result cache features

 EVERY once in a while, a developer gets in touch with a question like this: I am confused about the exact difference between deterministic and result_cache. Do they have different application use cases? I have used deterministic feature in many functions which retrieve data from some lookup tables. Is it essential to replace these 'deterministic' key words with 'result_cache'?  So I thought I'd write a post about the differences between these two features. But first, let's make sure we all understand what it means for a function to be  deterministic. From Wikipedia : In computer science, a deterministic algorithm is an algorithm which, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states.  Another way of putting this is that a deterministic subprogram (procedure or function) has no side-effects. If you pass a certain set of arguments for the parameters, you will always get

My two favorite APEX 5 features: Regional Display Selector and Cards

We (the over-sized development team for the PL/SQL Challenge - myself and my son, Eli) have been busy creating a new website on top of the PLCH platform (tables and packages): The Oracle Dev Gym! In a few short months (and just a part time involvement by yours truly), we have leveraged Oracle Application Express 5 to create what I think is an elegant, easy-to-use site that our users will absolutely love.  We plan to initially make the Dev Gym available only for current users of PL/SQL Challenge, so we can get feedback from our loyal user base. We will make the necessary adjustments and then offer it for general availability later this year. Anyway, more on that as the date approaches (the date being June 27, the APEX Open Mic Night at Kscope16 , where I will present it to a packed room of APEX experts). What I want to talk about today are two features of APEX that are making me so happy these days: Regional Display Selector and Cards. Regional Display Sel