👁 0
Q: What is dynamic SQL?
Answer:
Dynamic SQL constructed at runtime. PREPARE creates executable. EXECUTE runs it. EXECUTE IMMEDIATE for one-time. DECLARE CURSOR for queries. More flexible but less efficient than static. Security concerns (injection).
👁 0
Q: How to prevent SQL injection?
Answer:
Use parameter markers (?), not concatenation. PREPARE stmt FROM 'SELECT * FROM t WHERE c = ?'. EXECUTE stmt USING :hostvar. Never build SQL with user input directly. Validate input. Use static SQL when possible.