Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Dynamic SQL is a programming technique that allows you to construct SQL statements dynamically at runtime. This means you can create more flexible applications because user input or variables can be easily incorporated into the SQL commands.

Dynamic SQL is useful in cases where the specifics of a query are not known at compile time. For instance, a user might be able to specify certain columns to query or sort by, or a program might need to construct different WHERE clauses based on complex conditions.

Here's an example in PL/SQL, (Oracle's procedural extension for SQL):

DECLARE
  table_name VARCHAR2(30) := 'my_table';
  column_name VARCHAR2(30) := 'my_column';
  value NUMBER := 100;
  sql_stmt VARCHAR2(100);
BEGIN
  sql_stmt := 'UPDATE ' || table_name || ' SET ' || column_name || ' = ' || value;
  EXECUTE IMMEDIATE sql_stmt;
END;

In this PL/SQL block, an SQL statement is being constructed dynamically by concatenating strings and variables. The EXECUTE IMMEDIATE command is then used to execute the dynamically created SQL statement.

Here's another example in Python using the sqlite3 module:

import sqlite3

# Create a connection to the SQLite database
# Doesn't matter if the db doesn't yet exist
conn = sqlite3.connect('example.db')

# Create a cursor object
c = conn.cursor()

# Define a table name
table_name = 'stocks'

# Create a query string
query = 'SELECT * FROM {}'.format(table_name)

# Execute the query
c.execute(query)

# Fetch and print the results
for row in c.fetchall():
    print(row)

# Close the connection
conn.close()

In this Python script, a query is constructed as a string that includes a variable table name. The query string is then executed using the execute() method of a cursor object.

It's important to use it carefully because it can make your program vulnerable to SQL injection attacks. This is a type of security vulnerability where an attacker can manipulate the SQL statements your program executes by providing malicious input. To avoid this, always sanitize user input and use parameterized queries or prepared statements whenever possible.

  • No labels