Stored Procedure - running a INSERT with dynamic variables

SQL_learner · August 28, 2025, 4:16pm

I am trying to run something similar to this within a stored procedure in Oracle.

pWhereClasue2 is generic which I set depending on the table I am working on. The following code runs just if I have the proper defined where clause, but If I try to use this variable, I keep getting errors. I have tried to use ||, single quotes, but nothing has worked. I am not an expert at Stored Procedure. But any help would be appreciated. I am just trying to figure how I can keep this generic and have this code work with pWhereCLAUSE working

INSERT INTO ABC

SELECT * FROM ABCD pWhereCLAUSE to_char(dateOne, 'DD-MON-YYYY') and ROWNUM <= variable1;

commit;

Ifor · September 3, 2025, 10:23am

This is a Microsoft SQL Server site so you might do better at Stackoverflow.

I suspect the only way a generic could work with any relational database is Dynamic SQL as a query plan needs the actual objects.

denis_the_thief · September 4, 2025, 6:55pm

It would be something like this in SQL Server. Should be similar in Oracle

CREATE PROCEDURE
[dbo].[sp_HumanEventsBlockViewer]
(
@whereclause nvarchar(256) = N'City = ''Cartago''',

)

AS
BEGIN

DECLARE @sqlCommand nvarchar(1000)

SET @sqlCommand = 'SELECT * FROM Person.Address WHERE ' + @whereclause
EXECUTE sp_executesql @sqlCommand

END

Ifor · September 5, 2025, 6:49am

SQL Injection

denis_the_thief · September 8, 2025, 1:22pm

Only if

A) @whereclause is exposed to Users

AND

b) @whereclause isn’t checked for injection