Home

EXECUTE IMMEDIATE should be used instead of DBMS_SQL procedure calls

Description

    The EXECUTE IMMEDIATE should be used instead of DBMS_SQL procedure calls rule states that when executing dynamic SQL statements, the EXECUTE IMMEDIATE statement should be used instead of the DBMS_SQL package. EXECUTE IMMEDIATE is a PL/SQL statement that can be used to execute dynamic SQL statements. It is more efficient than the DBMS_SQL package, which requires more code and is less secure. This rule helps to ensure that dynamic SQL statements are executed in a secure and efficient manner.

Key Benefits

  • Speed: EXECUTE IMMEDIATE is faster than DBMS_SQL procedure calls.
  • Simplicity: EXECUTE IMMEDIATE is simpler to use than DBMS_SQL procedure calls.
  • Flexibility: EXECUTE IMMEDIATE allows for more flexibility than DBMS_SQL procedure calls.
  • Security: EXECUTE IMMEDIATE is more secure than DBMS_SQL procedure calls.

 

Non-compliant Code Example

CREATE OR REPLACE PROCEDURE DeleteCustomer() 
IS 
   cursor_name INTEGER;
BEGIN
   cursor_name := dbms_sql.open_cursor;
   DBMS_SQL.PARSE(cursor_name, 'DELETE FROM CUSTOMERS WHERE isNotActive',DBMS_SQL.NATIVE);   --Non compliant code (DBMS_SQL is used in the procedure calls)
   DBMS_SQL.CLOSE_CURSOR(cursor_name);
END;

Compliant Code Example

CREATE OR REPLACE PROCEDURE DeleteCustomer() 
IS 
   cursor_name INTEGER;
BEGIN
    EXECUTE IMMEDIATE 'DELETE FROM CUSTOMERS WHERE isNotActive';    --Compliant code (EXECUTE IMMEDIATE is used in the procedure calls)
END;
Visual Expert 2024
 VEPLSQLRULE78