This is a followup to an older question about Oracle's row level security feature originally discussed here
I needed to modify the because the original code would return more than one results if the user was attached to multiple projects. So now I need to have multiple where conditions (ie where project = project_1 or project = project_2) passed to the security policy for this to work. To do this I tried modifying the code by using a for loop and it is not working...
--create function
create or replace function
table_access_policy
(obj_schema varchar2, obj_name varchar2) return varchar2
is
v_project_temp varchar2(9000);
begin
v_project_temp:= 'declare v_project varchar2(9000);
begin
v_project:= ''project = '';
for c in (select admin.access_list.project from admin.access_list where upper(admin.access_list.user_id) = SYS_CONTEXT (''USERENV'', ''SESSION_USER''))
loop
v_project := v_project || c.project_sn || '' or project = '' ;
end loop;
v_project := rtrim(v_project, '' or project = '');
end;';
return v_project_temp;
end;
The function saves/runs without any errors, but the policy itself throws an error when it's called. Is there a better way to do this?
Instead of putting the PL/SQL in a string you should run it and build up the v_project string to return. Such as:
--create function
create or replace function
table_access_policy
(obj_schema varchar2, obj_name varchar2) return varchar2
is
v_project varchar2(9000);
begin
v_project:= 'project = ';
for c in (select admin.access_list.project from admin.access_list where upper(admin.access_list.user_id) = SYS_CONTEXT ('USERENV', 'SESSION_USER'))
loop
v_project := v_project ||''''|| c.project_sn ||''''|||| ' or project = ' ;
end loop;
v_project := rtrim(v_project, ' or project = ');
return v_project;
end;
Ultimately the value that appears in v_project will go straight after a where in an SQL statement such as:
select * from data;
will become
select * from date where <v_project>;
So only something that follows a where should go in v_project.
Related
I have three tables, viz:
Mains_Control
Control_Mapping
Control_Details
along with several conditions and columns. But I am performing dynamic operations on the tables columns given below.
I am unable to write a dynamic SQL block in PL-SQL procedure for the below conditions. Could anyone please assist me on this particular scenario.
SELECT *
FROM CUR_ALL_CONTENTS
WHERE MAINS_CONTROL SWITCH = $SWITCH
AND ($ATTRIB_COLUMNS = $ATTRIB_VAL
OR $ATTRIB_COLUMNS = $ATTRIB_VAL)
The above business condition is this
SELECT *
FROM CUR_ALL_CONTENTS
WHERE MAINS_CONTROL_SWITCH = 'TYPE'
AND (SWITCH_MODE = 'THRUST' OR SWITCH_MODE_GEAR = 'SEC_GEAR')
Here SWITCH attribute value can change, ATTRIB_COLUMNS and ATTRIB_VAL can change.
Mains_Control table has the following columns
SWITCH ACTION_CODE RULE_MAP_1
TYPE ON R1
TYPE OFF R2
METHOD HOLD R3
METHOD TERM_IN R4
Control_Mapping table has the following columns
RULE_MAP_1 RULE_MAP_2
R1 M11
R2 M22
R3 M33
R4 M44
Control_Details table has the following columns
RULE_MAP_2 ATTRIB_COLUMNS OPERAND ATTRIB_VAL
M11 SWTICH_MODE = THRUST
M22 SWITCH_MODE_GEAR = SEC_GEAR
M33 HOLD_RELEASE <> END
Still not clear for me how you determine which condition shall be used and when. Let's give this example with hard-coded rule set:
DECLARE
sqlstr VARCHAR2(30000);
cur INTEGER;
res INTEGER;
refCur SYS_REFCURSOR;
val Mains_Control.SWITCH%TYPE;
CURSOR Conditions IS
SELECT *
FROM RULE_MAP_2 IN ('M11', 'M22');
BEGIN
cur := DBMS_SQL.OPEN_CURSOR;
sqlstr := 'SELECT * '||CHR(13);
sqlstr := sqlstr || 'FROM CUR_ALL_CONTENTS '||CHR(13);
sqlstr := sqlstr || 'WHERE MAINS_CONTROL_SWITCH = :switch AND (';
FOR aCond IN Conditions LOOP
sqlstr := sqlstr || aCond.ATTRIB_COLUMNS ||aCond.OPERAND||' :'||RULE_MAP_2 ||' OR '
END LOOP;
sqlstr := REGEXP_REPLACE(sqlstr, ' OR ', ')');
DBMS_OUTPUT.PUT_LINE(sqlStr); --> verify generated statement
DBMS_SQL.PARSE(cur, sqlStr, DBMS_SQL.NATIVE);
SELECT SWITCH
INTO val
FROM Mains_Control
WHERE RULE_MAP_1 = 'R1';
DBMS_SQL.BIND_VARIABLE(cur, ':switch', sw);
FOR aCond IN Conditions LOOP
DBMS_SQL.BIND_VARIABLE(cur, ':'||aCond.RULE_MAP_2, aCond.ATTRIB_VAL);
END LOOP;
res := DBMS_SQL.EXECUTE(cur);
refCur := DBMS_SQL.TO_REFCURSOR(cur);
FETCH refCur BULK COLLECT INTO ...;
END;
The code would be simpler without DBMS_SQL.BIND_VARIABLE, however using bind variables is the proper way of doing it.
create or replace function lstnation (listdisplay in varchar2)
return varchar2 is
nName varchar2 (1000) default null;
listD varchar2(1000) default null;
cursor display_nation
is
select nation.n_name
from nation
inner join region
on region.r_regionkey = nation.n_nationkey
where region.r_regionname = listdisplay;
BEGIN
open display_nation;
loop
fetch display_nation into nName;
exit when display_nation%notfound;
IF
listD := listD || RTRIM(nName)||' , ';
end loop;
close display_nation;
return listD;
end lstnation;
/
DECLARE
rKey region.r_regionkey%type;
rName region.r_name%type;
nList varchar2(1000);
cursor outer_block is
select region.r_regionkey, region.r_name, lstnation(region.r_name)
from region;
BEGIN
open outer_block;
loop
fetch outer_block into rKey, rName, nList;
exit when outer_block%notfound;
dbms.output.put_line(rkey || ' ' || RTRIM(rName) || ': '|| nList);
end loop;
close outer_block;
end;
/
I get two errors, how can I fix it
LINE/COL ERROR
19/12 PLS-00103: Encountered the symbol "=" when expecting one of the
following:
. ( * # % & = - + < / > at in is mod remainder not rem then
<an exponent (**)> <> or != or ~= >= <= <> and or like like2
like4 likec between || multiset member submultiset
20/2 PLS-00103: Encountered the symbol "END" when expecting one of the
following:
begin function pragma procedure subtype type
current cursor delete
exists prior
You can save some coding and efficiency by replacing the cursor loop with the listagg function
select listagg(rtrim(nation.n_name),',')
from nation
inner join region
on region.r_regionkey = nation.n_nationkey
where region.r_regionname = listdisplay;
So that will collate all the matching rows, and use whatever delimiter is passed in. One thing to be aware of, you have listD varchar2(1000) so as long as the results from the query are less than 1000, you are OK. If you expect a larger result set, you may need to increase or use a clob.
If for some reason, you still want to use the loop method, then you need to fix your IF statement:
loop
fetch display_nation into nName;
exit when display_nation%notfound;
IF <condition> THEN
listD := listD || RTRIM(nName)||' , ';
END IF;
end loop;
How is this possible?: If I replace message_format_name with the literal 'MT202', the query works as expected. Otherwise, it returns 2 rows instead of the expected 1--same as if that condition was commented out.
It seems the parameter value passed in to the stored proc doesn't equal the value in ms.message_format_name for some strange reason.
Let me know if you need more details.
Thanks!
set define off;
create or replace PROCEDURE insert_mapping(
interface_name IN VARCHAR2,
message_format_name IN VARCHAR2,
determined_field_type IN VARCHAR2,
source_field IN VARCHAR2,
mapping_key IN VARCHAR2,
mapping_key_value1 IN VARCHAR2,
mapping_key_value2 IN VARCHAR2 DEFAULT NULL,
return_val OUT sys_refcursor)
AS
BEGIN
dbms_output.put_line('interface_name = ' || interface_name);
dbms_output.put_line('message_format_name = ' || message_format_name);
dbms_output.put_line('determined_field_type = ' || determined_field_type);
dbms_output.put_line('source_field = ' || source_field);
/* INSERT
INTO payments.multi_value_lookup_mapping
(
pk_multi_value_lkp_mapping,
fk_pk_multi_value_lookup_confg,
mapping_key,
mapping_key_value1,
mapping_key_value2,
created_by,
created_dt,
update_by,
update_dt
)*/
OPEN return_val FOR
SELECT payments.seq_multi_value_lookup_map.nextval,
mvlc.pk_multi_value_lookup_config,
mapping_key,
mapping_key_value1,
mapping_key_value2,
50000,
SYSDATE,
50000,
SYSDATE
FROM payments.multi_value_lookup_config mvlc, payments.message_source ms
WHERE (ms.pk_message_source = mvlc.fk_pk_message_source
AND ms.interface_name = interface_name
AND ms.message_format_name = message_format_name /*'MT202'*/
AND mvlc.mapping_column_name = source_field
AND mvlc.lookup_category_type = determined_field_type
);
END insert_mapping;
This is not an Oracle bug. First, you should never use commas in the FROM clause. You should always use explicit JOIN syntax.
But that is not your specific problem. Variable resolution and scoping is.
When you have a reference such as interface_name in a query, then Oracle looks first for columns with that name. It never sees the variables. Name the variables something distinguishing, so you end up with code that is more like this:
. . .
FROM payments.multi_value_lookup_config mvlc JOIN
payments.message_source ms
ON ms.pk_message_source = mvlc.fk_pk_message_source
WHERE ms.interface_name = v_interface_name
ms.message_format_name = v_message_format_name /*'MT202'*/
mvlc.mapping_column_name = v_source_field
mvlc.lookup_category_type = v_determined_field_type
I have SQL strings that my users write. They look like:
SELECT Name, Age from Users WHERE Name LIKE '%a%' AND {UsersWhere}
On the oracle server side when such an SQL is to be executed I want to replace the {tags} first. The replacements for the {tags} will be valid SQL sub strings I am holding in a table. Pre-manufactered sub sqls. So the treated string will be valid SQL.
Is there some fancy build-in Oracle function to make this happen?
Thanks for a hint!
I have written a small function for anyone interested:
CREATE OR REPLACE FUNCTION SA.REPLACE_VARIABLES (p_sql IN VARCHAR2)
RETURN VARCHAR2
IS
vs_return VARCHAR2 (4000);
-- Deklarationen
vs_sql VARCHAR2(4000);
vs_substring VARCHAR2(4000);
vs_variable VARCHAR2(200);
vs_variable_content VARCHAR2(4000);
BEGIN
vs_sql := p_sql;
IF INSTR(p_sql, '{') > 0 THEN
vs_substring := vs_sql;
WHILE LENGTH(vs_substring) > 0 LOOP
IF INSTR(vs_substring, '{') <> 0
THEN
vs_variable := SUBSTR(vs_substring, INSTR(vs_substring, '{'), INSTR(vs_substring, '}') - INSTR(vs_substring, '{') + 1);
-- Do whatever you want with the variable
--vs_sql := REPLACE(vs_sql, vs_variable, vs_variable_content);
-- Substring verkürzen
vs_substring := SUBSTR(vs_substring, INSTR(vs_substring, vs_variable) + LENGTH(vs_variable) + 1);
ELSE
vs_substring := '';
END IF;
END LOOP;
END IF;
RETURN vs_sql;
EXCEPTION
WHEN OTHERS
THEN
-- Err -handle
END REPLACE_VARIABLES;
/
I'd just keep it simple:
v_sql := REPLACE(v_sql, '{UsersWhere}', '...whatever you need...');
I’m dong some SQL work this week and I normally write Java.
I need to add some if's into my SQL like so, but don’t want to do any string concatenation.
This should be an easy one: I just don’t know the SQL syntax
I want to make all those "AND" statements "if" conditions for params I’m passing in
Would I have to do something like this:
IF p_sac IS NOT NULL
THEN
stmt := stmt || ' AND nsns.sac = ''' || p_sac || '''';
END IF;
IF p_value1 IS NOT NULL
THEN
stmt := stmt || ' AND UPPER(value1s.value1) LIKE ''' || UPPER(p_value1) || ''' ';
END IF;
Or is there an alternative to this above?
Basically I've got this:
FUNCTION summarize_item_search_data (p_obj_code IN VARCHAR2, p_value1 IN VARCHAR2,
p_sac IN NUMBER, p_job_type_id IN NUMBER,
p_value4 IN NUMBER)
RETURN sys_refcurvalue2
IS
result_cur sys_refcurvalue2;
BEGIN
OPEN result_cur FOR
SELECT DISTINCT jp.id, jp.row_top.mwslin AS mwslin, jp.obj_code, jp.jobload_year, jp.row_top.fiscal_year AS fiscal_year,
nsns.sac, value1s.value1, nsns.nsn,
DECODE( jp.row_top.nsn_id, NULL, jp.row_top.nomenclature ,nsns.nomenclature) AS nomenclature, jp.row_top.value4 AS value4
FROM scabs sch, jobs JP, master_nsn nsns, master_value1 value1s, TABLE(value1s.group_id) (+) ntab,
groups pgds
WHERE jp.row_top.nsn_id = nsns.id(+) AND nsns.value1_id = value1s.id(+)
-- stmt := stmt || ' AND ''' || p_year || ''' = ntab.fiscal_year(+)';
AND ntab.group_id = pgds.id(+)
AND nsns.sac = p_sac
AND UPPER(value1s.value1) LIKE UPPER(p_value1)
AND UPPER(jp.obj_code) = UPPER(p_obj_code)
AND jp.row_top.value4 <= p_value4
AND jp.row_top.job_type_id =p_job_type_id
RETURN result_cur;
END summarize_item_search_data;
Just put it all into your WHERE clause as conditions:
WHERE
(p_sac IS NULL OR nsns.sac = p_sac) AND
....
If performance suffers greatly then you might want to look into using dynamic SQL, but I would start with the approach above.