CODEWITHSUNDEEP
javascriptplsql
shakz
shakz

Reputation: 639

How to pass array as a parameter to a plsql procedure through javascript

I am calling a plsql procedure from window.opener.location.href, I want to pass an array as a parameter to this procedure.

window.opener.location.href="dt_bulk_test_pkg.pc_bulk_test?ps="+frmresult.ps.value+
                            "&p_step="+frmresult.p_step.value+
                            "&p_year="+frmresult.p_year.value+
                            "&p_quarter="+frmresult.p_quarter.value+
                            "&p_diagnostic_type="+frmresult.p_diagnostic_type.value+
                            "&p_overwrite="+frmresult.p_overwrite.value+
                            "&p_company_id="+v_comp_id;

v_comp_id is an array.

Upvotes: 0

Views: 1946

Answers (2)

JohnyP
JohnyP

Reputation: 11

I know that this is an old thread but I landed here so I guess others will.

It is quite possible to pass arrays to PL/SQL via a URL and it is explicitly supported, not a dodgy hack. Link to Oracle doc

You declare the PL/SQL input parameter as a table of varchar2. Then you pass the same parameter name repeatedly in the URL.

1/ Example PL/SQL source:

CREATE OR REPLACE PROCEDURE test_array(
    p IN dbms_sql.varchar2_table )
AS
BEGIN
  FOR i IN p.FIRST .. p.LAST
  LOOP
    htp.p(p(i)||'<br>');
  END LOOP;
END test_array;

*2/ Example URL to invoke it: - substitute XXXXXXXXXXXXXX with your own setup *

http://XXXXXXXXXXXXXX/test_array?p=first ele&p=second ele

3/ Output

first ele
second ele

You can pass in as many elements as you want, I just used 2 for this example.

If your data type is not varchar2, capture them as varchar2 from the URL anyway and convert them to numbers etc inside the pl/sql.

Upvotes: 1

George Mauer
George Mauer

Reputation: 122172

PL/SQL is a database technology, Javascript is an in-browser technology (unless you're doing server side JS with node or Rhino but you are not). The browser can only communicate with web servers. So from the point of javascript, you're not calling a stored procedure, you're calling a web-server that you must have running somewhere that calls that stored procedure.

How exactly arrays are represented is up to the server-side language/web-framework, but a fairly standard approach is that taken by jQuery's $.param method. For example, opening up the console on this site I can do this:

> $.param({example: [1,2,3]})
"example%5B%5D=1&example%5B%5D=2&example%5B%5D=3"

Words of warning.

  • Exposing database stored procedures directly via HTTP is not only bad design, but likely a crazy-bad security risk.
  • Embedding parameters in a url means you are using an HTTP GET request. GET requests are meant for resources that do not affect the state of the server so be careful that your stored procedure only gets data, not changes it. The danger is that someone could put that url in an email or even an img src tag on a webpage and people would hit that url simply by clicking a link or visiting a web page.
  • All parameters should pass through url encoding. Like I mentioned, jQuery.param will do this.
  • You are likely exposing yourself to XSS attacks as well.

Upvotes: 1

Related Questions