Code Listing 5: Overreliance on concatenation

CREATE OR REPLACE PROCEDURE date_range_col_update (
   tab_in       IN   VARCHAR2
  ,datecol_in   IN   VARCHAR2
  ,start_in     IN   DATE
  ,end_in       IN   DATE
  ,valcol_in    IN   VARCHAR2
  ,val_in       IN   NUMBER
)
IS
   str   VARCHAR2 (32767)
      :=    'UPDATE '
         || tab_in
         || ' SET '
         || valcol_in
         || ' = '
         || TO_CHAR (val_in)
         || ' WHERE '
         || datecol_in
         || ' BETWEEN TO_DATE ('''
         || TO_CHAR (start_in)
         || ''') AND TO_DATE ('''
         || TO_CHAR (end_in)
         || ''')';
BEGIN
   EXECUTE IMMEDIATE str
               USING val_in, datecol_in, start_in, end_in;

   DBMS_OUTPUT.put_line ('Rows updated: ' || TO_CHAR (SQL%ROWCOUNT));
-- Exception handled left out to save space
END date_range_col_update;
/