Is Oracle do parameters prevent SQL injection?

Question

In SQL Server, I know parameter can prevent SQL Injection with detail reason from this answer, and is Oracle the same can prevent SQL injection by using parameters?

This is my C# code:

OracleCommand command = new OracleCommand(querySql);
command.Parameters.Add(new OracleParameter("Column1", OracleDbType.Varchar2, 3, "Value1", ParameterDirection.Input));
command.Parameters.Add(new OracleParameter("Column1", OracleDbType.Varchar2, 6, "Value1", ParameterDirection.Input));
cmd.ExecuteReader();

Yes, SQL injection is a **general** problem for any database system that uses SQL as it's query language - it's **not** specific to SQL Server..... and the solution of using **parametrized queries** is also generally the best accepted practice to avoid SQL injection — marc_s, May 22 '20 at 08:50
ok, if there's Oracle Master that can explain working detail in Oracle is appreciated by readers. — yu yang Jian, May 22 '20 at 09:06

score 1 · Answer 1 · answered May 22 '20 at 10:57

In Oracle, one method is to use Pipelined Functions - essentially parameterized views of the data. See here for detailed explanation and examples:

The documentation also talks about SQL Injection, how it works, and how to defend against it:

Is Oracle do parameters prevent SQL injection?

1 Answers1