Correct use of bind variables with dates in Oracle?

oracle date bind oracle-call-interface
11,674

Solution 1

Is the date format a constant? Or does it change at runtime?

Normally, you know what format the string is (at least expected) to be in so the date format would be a constant. If something is a constant, it is not necessary to make it a bind variable, it can just be hard-coded as part of the statement. In this case, it wouldn't matter either way but there are cases where you'd rather the value be hard-coded in the SQL statement because you want to give the optimizer more information (think of a column with highly skewed data where you're always looking for a particular hard-coded value).

On the other hand, if the date format changes at runtime because someone is passing both the string representation of the date and the format the string is in to your procedure, it would make sense for the date format to be a bind variable.

Solution 2

The answer to your question is it depends...

If you're dynamically creating your date_format then you ought to use a bind variable to make yourself SQL-injection safe. If you're not dynamically creating the date-format then it's already hard-coded and there's very little point.

select to_date(:my_date,'yyyymmdd') from dual

is safe anyway but:

select to_date(:my_date,:my_date_format) from dual

should really be a bind.

This is all assuming that :my_date is not a column, in which case it cannot be a bind variable at all.

If you're binding :my_date though you're passing a static date to Oracle and not using a column then can't OCI work this out for you without going to Oracle ( I don't know for sure, never used it ).

Share:
11,674
Mark
Author by

Mark

Updated on June 15, 2022

Comments

  • Mark
    Mark almost 2 years

    I'm puzzled about the correct use of bind variables with dates in Oracle. This isn't within the database or when using PL/SQL, but rather when interacting with Oracle across an OCI interface, where the date needs to be passed in as a string using the to_date function.

    I would have thought the right approach to ensure the proper use of bind variables is to do the following:

    to_date(:my_date, :my_date_format)

    However, I've seen approaches where the date format isn't done using binds, so I'm a little confused.

    Can anyone confirm this or suggest the best approach?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Handling time zone in web application
Oracle: epoch milleseconds to date/time with time zone included
Java parse oracle timestamp to date.util.date
Oracle SQL: get timezone for a given date
Oracle time data type
How to select only the second max date from a table
Insert TIME into Oracle SQL, DATE field
How to declare a date variable in sqlplus to pass as bind variable?
Oracle Date index is slow. Query is 300 times faster without it
sql oracle case when date