oracle存储过程防止sql注入的问题。。。。。。。。。。。。。。。。。。。。。。。。。。。。
我用open cursor1 for v_sqlstring动态打开游标，那个v_sqlstring是一个查询语句，为了防止查询条件有单引号之类的特殊符号，我用replace替换掉了单引号。
但是要查询的内容有单引号，要把这条含有单引号的内容查出来的话，就查不出了，什么办？？？




select replace(projectname,'''','') into projectname_temp from dual;这个地方把查询条件projectname里的单引号去掉了，但是如果这个字段里的数据有单引号的话，就查不出来了。。

SQL code

CREATE OR REPLACE function certificatefunction1(    projectstate in int,    projectname in varchar,    startDateMin in varchar,    startDateMax in varchar,    endDateMin in varchar,    endDateMax in varchar,    certificateType in int,    versions in varchar    ) return sys_refcursoras  cursor1 sys_refcursor;  projectname_temp varchar(50);  sqlstr varchar(2000);begin  sqlstr := sqlstr || ' select pp.profile_Id,pp.name,pp.version,pp.start_Date,pp.end_Date,pci.certificate_Type ';  sqlstr := sqlstr || ' from Project_Profile pp,Project_Certificate_Info pci ';  sqlstr := sqlstr || ' where pp.profile_Id = pci.profile_Id ';  sqlstr := sqlstr || ' and pp.status != ' || projectstate;    if projectname is not null then   select replace(projectname,'''','') into projectname_temp from dual;   sqlstr := sqlstr || ' and pp.name like ''%' || projectname_temp || '%''';  end if;    if startDateMin is not null then   sqlstr := sqlstr || ' and pp.start_date >= to_date(''' || startDateMin || ''',''yyyy-mm-dd'')';  end if;    if startDateMax is not null then   sqlstr := sqlstr || ' and pp.start_date < to_date(''' || startDateMax || ''',''yyyy-mm-dd'')';  end if;    if endDateMin is not null then   sqlstr := sqlstr || ' and pp.end_date >= to_date(''' || endDateMin || ''',''yyyy-mm-dd'')';  end if;    if endDateMax is not null then   sqlstr := sqlstr || ' and pp.end_date <= to_date(''' || endDateMax || ''',''yyyy-mm-dd'')';  end if;    if certificateType != -1 then   sqlstr := sqlstr || ' and pci.certificate_Type = ' || certificateType;  end if;    if versions is not null then   sqlstr := sqlstr || ' and pp.version like ''%' || versions || '%''';  end if;    sqlstr := sqlstr || ' order by pp.profile_Id desc ';    open cursor1 for sqlstr;    return cursor1;end certificatefunction1;

[解决办法]
针对projectname 特殊处理
if projectname is not null then
sqlstr := sqlstr || ' and pp.name like ''%?%''';
end if;

if projectname is not null then
open cursor1 for sqlstr using projectname
elsif then
open cursor1 for sqlstr;
end if

我的异常网推荐解决方案：oracle存储过程,http://www.myexception.cn/oracle-develop/177537.html