Dynamic SQL

Owned by Computer Science Department
Last updated: Aug 05, 2023
2 min read

Dynamic SQL is a programming technique that allows you to construct SQL statements dynamically at runtime. This means you can create more flexible applications because user input or variables can be easily incorporated into the SQL commands.

Dynamic SQL is useful in cases where the specifics of a query are not known at compile time. For instance, a user might be able to specify certain columns to query or sort by, or a program might need to construct different WHERE clauses based on complex conditions.

Here's an example in PL/SQL, (Oracle's procedural extension for SQL):

DECLARE table_name VARCHAR2(30) := 'my_table'; column_name VARCHAR2(30) := 'my_column'; value NUMBER := 100; sql_stmt VARCHAR2(100); BEGIN sql_stmt := 'UPDATE ' || table_name || ' SET ' || column_name || ' = ' || value; EXECUTE IMMEDIATE sql_stmt; END;

In this PL/SQL block, an SQL statement is being constructed dynamically by concatenating strings and variables. The EXECUTE IMMEDIATE command is then used to execute the dynamically created SQL statement.

Here's another example in Python using the sqlite3 module:

import sqlite3 # Create a connection to the SQLite database # Doesn't matter if the db doesn't yet exist conn = sqlite3.connect('example.db') # Create a cursor object c = conn.cursor() # Define a table name table_name = 'stocks' # Create a query string query = 'SELECT * FROM {}'.format(table_name) # Execute the query c.execute(query) # Fetch and print the results for row in c.fetchall(): print(row) # Close the connection conn.close()

In this Python script, a query is constructed as a string that includes a variable table name. The query string is then executed using the execute() method of a cursor object.

It's important to use it carefully because it can make your program vulnerable to SQL injection attacks. This is a type of security vulnerability where an attacker can manipulate the SQL statements your program executes by providing malicious input. To avoid this, always sanitize user input and use parameterized queries or prepared statements whenever possible.