Skip to Content
Previous

SQL Execute Immediate

By Craig Cmehil

Leveraging SQLScript in Stored Procedures & User Defined Functions

You will learn

In contrast to executing a string using EXEC, executing the string using EXECUTE IMMEDIATE returns a result set.

Details


  1. Switch back to the procedure editor.

    procedure editor
  2. Switch back to the procedure editor. Replace the EXEC keyword with EXECUTE IMMEDIATE

    execute immediate
  3. Click “Save”.

    save
  4. Use what you have learned already and perform a build on your hdb module. Then return to the HRTT page run the call statement again.

    HRTT
  5. You will notice the implicit result set is now returned to the console. But you still cannot work further on this result set.

    result
  6. Now change the CALL statement again, this time insert the value for the input parameter as ��� ��� as shown here. Run the CALL statement again

    modify call statement
  7. You will notice the count is 10, which refers to all products except for Laser printers.

    count
  8. Now change the CALL statement. This time insert the value for the input parameter as ���OR 1 = 1��� as shown here. Run the CALL statement again.

    modify call statement
  9. You will notice the count is now much higher, 106. This illustrates the possibility of SQL injection. The always true OR-condition (1=1) will enforce that the complete where-condition will be evaluated to true for each record.

    new count

Next Steps

Updated 12/08/2016

Time to Complete

10 Min.

Intermediate

Prerequisites

Next Steps

Next
Back to top