-1

我得到 200 个供应商名称作为存储过程的巨大值的输入参数。我尝试在 CLOB、VARCHAR2(32767) 中声明。但是当我尝试执行时它不接受。请任何人帮助我如何处理这个问题。

CREATE OR REPLACE PROCEDURE GMMT_PROC.or_rmce_RB_grid_sp (
   p_plant_cd        IN VARCHAR2,
   p_region_cd       IN VARCHAR2,
   p_matrl_nbr       IN OUT VARCHAR2,
   p_supplier_nbr    IN OUT VARCHAR2,
   p_supplier_name   IN OUT CLOB,
   p_mrpcontrollercd IN OUT VARCHAR2,
   p_currency        IN   VARCHAR2,
   oresultset        OUT  sys_refcursor,
   p_err_cd          OUT  NUMBER,
   p_err_msg         OUT  VARCHAR2
)
IS
sqlquery varchar2(10000);
p1 varchar2(10);
p2 varchar2(20);
p3 varchar2(20);
p4 varchar2(20);
v_percent varchar2(10):='%';
V_FROM_CURRENCY VARCHAR2(5);
V_EX_RATE NUMBER;
v_matrl_nbr       VARCHAR2(10000);
v_supplier_nbr    VARCHAR2(10000);
v_supplier_name   CLOB;
v_mrpcontrollercd  VARCHAR2(10000);

BEGIN
p1:='matrl_nbr';
 v_matrl_nbr:=p_matrl_nbr;
 p2:='supplier_nbr';
 v_supplier_nbr :=p_supplier_nbr;
 p3:='supplier_name_txt';
 v_supplier_name :=p_supplier_name;
 p4:='mrp_controller_cd';
 v_mrpcontrollercd:=p_mrpcontrollercd; 
sqlquery:='select wk_nbr, nbr_working_days,'||p1||' as matrl_nbr ,'||p2||' as supplier_nbr,'||p3||' as supplier_name_txt,'||p4||' as mrp_controller_cd,sum(reqmnt_qty)reqmnt_qty , sum(proj_inven_qty)proj_inven_qty, sum(doh) doh,sum(proj_recpt_1) proj_recpt_1, sum(proj_recpt_2) proj_recpt_2, sum(proj_recpt_3) proj_recpt_3, sum(proj_recpt_4) proj_recpt_4,sum( proj_recpt_total_qty) proj_recpt_total_qty,sum(consumption_qty) consumption_qty, sum(consumption_var_qty) consumption_var_qty , sum(final_recpt_qty) final_recpt_qty,sum(recpt_var_qty) recpt_var_qty from GMMT_OWNER.OR_RMCE_GTT_PROJ_RECPT_T ';
sqlquery:=sqlquery||' where ('''||v_matrl_nbr||''' IS NULL) OR matrl_nbr IN (SELECT * FROM TABLE(GMMT_PROC.OR_in_list_RPT5_FN('''||v_matrl_nbr||'''))) OR matrl_nbr like '''|| v_matrl_nbr||v_percent||'''';
sqlquery:=sqlquery||' AND ('''||v_supplier_nbr||''' IS NULL) OR supplier_nbr IN (SELECT * FROM TABLE(GMMT_PROC.OR_in_list_RPT5_FN('''||v_supplier_nbr||'''))) OR supplier_nbr like '''|| v_supplier_nbr||v_percent||'''';
sqlquery:=sqlquery||' AND ('''||v_supplier_name||''' IS NULL) OR supplier_name_txt IN (SELECT * FROM TABLE(GMMT_PROC.OR_in_list_RPT5_FN('''||v_supplier_name||'''))) OR supplier_name_txt like '''|| v_supplier_name||v_percent||'''';
sqlquery:=sqlquery||' AND ('''||v_mrpcontrollercd||''' IS NULL) OR mrp_controller_cd IN (SELECT * FROM TABLE(GMMT_PROC.OR_in_list_RPT5_FN('''||v_mrpcontrollercd||'''))) OR mrp_controller_cd like '''|| v_mrpcontrollercd||v_percent||'''';
sqlquery:=sqlquery||' group by wk_nbr, nbr_working_days,'||p1||','||p2||','||p3||','||p4||' order by wk_nbr';

OPEN oresultset FOR sqlquery;

dbms_output.put_line(sqlquery);
END;
4

2 回答 2

1

您需要了解绑定变量!永远不要连接传递给 SQL 语句的值。

请参阅http://docs.oracle.com/cd/E14072_01/appdev.112/e10472/dynamic.htm#CHDFCHHJ了解为什么这是一个坏主意。

现在您遇到的问题是由于插入到 SQL 语句中的值很大,导致字符串长——对于 varchar 来说太长了。

请参阅http://docs.oracle.com/cd/E14072_01/appdev.112/e10472/dynamic.htm#BJEDAHEE了解如何使用来自 PL/SQL 的动态 SQL 的绑定变量。

于 2012-10-30T12:34:24.227 回答
1

动态 SQL:不要这样做。

您永远不应该,永远不要将包含值的变量连接到 SQL。永远不要,它会降低性能,产生难以重现/发现的错误,并且公然对 SQL 注入开放。

可以使用动态 SQL 进行动态分组,因为 P1...P4 不是值,而是列名,因此无法绑定。

所有其他变量应作为绑定传递

你的 OPEN 声明应该是:

OPEN oresultset FOR '
SELECT wk_nbr,
       nbr_working_days,
       ' || dbms_assert.simple_sql_name(p1) || ' AS matrl_nbr,
       ' || dbms_assert.simple_sql_name(p2) || ' AS supplier_nbr,
       ' || dbms_assert.simple_sql_name(p3) || ' AS supplier_name_txt,
       ' || dbms_assert.simple_sql_name(p4) || ' AS mrp_controller_cd,
       sum(reqmnt_qty) reqmnt_qty,
       [...]
  FROM GMMT_OWNER.OR_RMCE_GTT_PROJ_RECPT_T
 WHERE (:VAR1 IS NULL)
    OR matrl_nbr IN (SELECT * FROM TABLE(GMMT_PROC.OR_in_list_RPT5_FN(:VAR1)))
    OR matrl_nbr LIKE :VAR1 || ''%''
    AND (:VAR2 IS NULL)
    OR supplier_nbr IN (SELECT * FROM TABLE(GMMT_PROC.OR_in_list_RPT5_FN(:VAR2)))
    OR supplier_nbr LIKE :VAR2 || ''%''
    [...]
GROUP BY wk_nbr,
         nbr_working_days,
         ' || p1 || ', ' || p2 || ', ' || p3 || ', ' || p4 || '
ORDER BY wk_nbr' 
   USING v_matrl_nbr, v_matrl_nbr, v_matrl_nbr, 
         v_supplier_nbr, v_supplier_nbr, v_supplier_nbr,
         [...];

为防止用户滥用此动态 SQL 片段,您必须确保 p1...p4 已从您定义的列表中预先批准,或者如上所述使用DBMS_ASSERT 。

实际上,如果列表很小,您可以使用简单的静态 SQL:

OPEN cc FOR 
    SELECT wk_nbr,
           nbr_working_days,
           decode(p1, 'column1', column1, 'column2', column2 [...]) AS matrl_nbr,
           [...]
     GROUP BY [...]
              decode(p1, 'column1', column1, 'column2', column2 [...]),
              [...];
于 2012-10-30T14:42:52.583 回答