Back to normal view: https://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables

Literals, Substitution Variables and Bind Variables

If you've read anything about writing OLTP applications that talk to Oracle databases, you will know that bind variables are very important.

Each time a SQL statement is sent to the database, an exact text match is performed to see if the statement is already present in the shared pool. If no matching statement is found a hard parse is performed, which is a resource intensive process. If the statement is found in the shared pool this step is not necessary and a soft parse is performed. Concatenating variable values into a SQL statement makes the statement unique, forcing a hard parse. By contrast, using bind variables allow reuse of statements as the text of the statement remains the same. Only the value of the bind variable changes.

Why do we care?

In the sections below you will see the impact of using literals, substitution variables and bind variables in your code.

Related articles.

Literals

The following example shows the affect of using literals on the shared pool. First the shared pool is cleared of previously parsed statements. Then two queries are issued, both specifying literal values in the WHERE clause. Finally the contents of the shared pool is displayed by querying the V$SQL view.

alter system flush shared_pool;

select * from dual where dummy = 'LITERAL1';
select * from dual where dummy = 'LITERAL2';


column sql_text format a60
select sql_text,
       executions
from   v$sqlarea
where  instr(sql_text, 'select * from dual where dummy') > 0
and    instr(sql_text, 'sql_text') = 0
order by sql_text;

SQL_TEXT                                                     EXECUTIONS
------------------------------------------------------------ ----------
select * from dual where dummy = 'LITERAL1'                           1
select * from dual where dummy = 'LITERAL2'                           1

2 rows selected.

SQL>

From this we can see that both queries were parsed separately.

Substitution Variables

Substitution variables are a feature of the SQL*Plus tool. They have nothing to do with the way SQL is processed by the database server. When a substitution variable is used in a statement, SQL*Plus requests an input value and rewrites the statement to include it. The rewritten statement is passed to the database. As a result, the database server knows nothing of the substitution variable. The following example illustrates this by repeating the previous test, this time using substitution variables.

SQL> alter system flush shared_pool;

System altered.

SQL> select * from dual where dummy = '&dummy';
Enter value for dummy: SUBSTITUTION_VARIABLE1
old   1: select * from dual where dummy = '&dummy'
new   1: select * from dual where dummy = 'SUBSTITUTION_VARIABLE1'

no rows selected

SQL> select * from dual where dummy = '&dummy';
Enter value for dummy: SUBSTITUTION_VARIABLE2
old   1: select * from dual where dummy = '&dummy'
new   1: select * from dual where dummy = 'SUBSTITUTION_VARIABLE2'

no rows selected

SQL>


column sql_text format a60
select sql_text,
       executions
from   v$sqlarea
where  instr(sql_text, 'select * from dual where dummy') > 0
and    instr(sql_text, 'sql_text') = 0
order by sql_text;

SQL_TEXT                                                     EXECUTIONS
------------------------------------------------------------ ----------
select * from dual where dummy = 'SUBSTITUTION_VARIABLE1'             1
select * from dual where dummy = 'SUBSTITUTION_VARIABLE2'             1

2 rows selected.

SQL>

Once again, both statements were parsed separately. As far as the database server is concerned, literals and substitution variables are the same thing.

Exactly the same behavior occurs when scripts contain placeholders to allow parameters to be sent to them from the command line. So for example, imagine a script called "dummy.sql" containing the following.

select * from dual where dummy = '&1';

This can be called from SQL*Plus like this.

SQL> @dummy MyValue

When run, the placeholder '&1' will be replaced by the value 'MyValue'. This is just the same as a substitution variable.

Bind Variables

The following example illustrates the affect of bind variable usage on the shared pool. It follows the same format as the previous examples.

alter system flush shared_pool;

variable dummy varchar2(30);

exec :dummy := 'BIND_VARIABLE1';
select * from dual where dummy = :dummy;

exec :dummy := 'BIND_VARIABLE2';
select * from dual where dummy = :dummy;


column sql_text format a60
select sql_text,
       executions
from   v$sqlarea
where  instr(sql_text, 'select * from dual where dummy') > 0
and    instr(sql_text, 'sql_text') = 0
order by sql_text;

SQL_TEXT                                                     EXECUTIONS
------------------------------------------------------------ ----------
select * from dual where dummy = :dummy                               2

1 row selected.

SQL>

This clearly demonstrates that the same SQL statement was executed twice.

Performance Issues

The following example measures the amount of CPU used by a session for hard and soft parses when using literals. The shared pool is flushed and a new session is started. Dynamic SQL is used to mimic an application sending 10 statements to the database server. Notice that the value of the loop index is concatinated into the string, rather than using a bind variable. The CPU usage is retrieved from the V$MYSTAT view by querying the "parse time cpu" statistic. This statistic represents the total CPU time used for parsing (hard and soft) in 10s of milliseconds. The statements present in the shared pool are also displayed.

conn sys/password as sysdba

alter system flush shared_pool;


conn sys/password as sysdba

declare
  l_dummy  dual.dummy%type;
begin
  for i in 1 .. 10 loop
    begin
      execute immediate 'select dummy from dual where dummy = ''' || to_char(i) || ''''
      into l_dummy;
    exception
      when no_data_found then
        null;
    end;
  end loop;
end;
/

PL/SQL procedure successfully completed.

SQL>


select sn.name, ms.value
from   v$mystat ms, v$statname sn
where  ms.statistic# = sn.statistic#
and    sn.name       = 'parse time cpu';

NAME                                                                  VALUE
---------------------------------------------------------------- ----------
parse time cpu                                                           63

1 row selected.

SQL>


column sql_text format a60
select sql_text,
       executions
from   v$sqlarea
where  instr(sql_text, 'select dummy from dual where dummy') > 0
and    instr(sql_text, 'sql_text') = 0
and    instr(sql_text, 'declare') = 0
order by sql_text;

SQL_TEXT                                                     EXECUTIONS
------------------------------------------------------------ ----------
select dummy from dual where dummy = '1'                              1
select dummy from dual where dummy = '10'                             1
select dummy from dual where dummy = '2'                              1
select dummy from dual where dummy = '3'                              1
select dummy from dual where dummy = '4'                              1
select dummy from dual where dummy = '5'                              1
select dummy from dual where dummy = '6'                              1
select dummy from dual where dummy = '7'                              1
select dummy from dual where dummy = '8'                              1
select dummy from dual where dummy = '9'                              1

10 rows selected.

SQL>

The results show that 630 milliseconds of CPU time were used on parsing during the session. In addition, the shared pool contains 10 similar statements using literals.

The following example is a repeat of the previous example, this time using bind variables. Notice that the USING clause is used to supply the loop index, rather than concatenating it into the string.

conn sys/password as sysdba

alter system flush shared_pool;


conn sys/password as sysdba

declare
  l_dummy  dual.dummy%type;
begin
  for i in 1 .. 10 loop
    begin
      execute immediate 'select dummy from dual where dummy = to_char(:dummy)'
      into l_dummy using i;
    exception
      when no_data_found then
        null;
    end;
  end loop;
end;
/

PL/SQL procedure successfully completed.

SQL> 


select sn.name, ms.value
from   v$mystat ms, v$statname sn
where  ms.statistic# = sn.statistic#
and    sn.name       = 'parse time cpu';

NAME                                                                  VALUE
---------------------------------------------------------------- ----------
parse time cpu                                                           40

1 row selected.

SQL> 


column sql_text format a60
select sql_text,
       executions
from   v$sqlarea
where  instr(sql_text, 'select dummy from dual where dummy') > 0
and    instr(sql_text, 'sql_text') = 0
and    instr(sql_text, 'declare') = 0
order by sql_text;

SQL_TEXT                                                     EXECUTIONS
------------------------------------------------------------ ----------
select dummy from dual where dummy = to_char(:dummy)                 10

1 row selected.

SQL>

The results show that 400 milliseconds of CPU time were used on parsing during the session, less than two thirds the amount used in the previous example. As expected, there is only a single statement in the shared pool.

These simple examples clearly show how replacing literals with bind variables can save both memory and CPU, making OLTP applications faster and more scalable. If you are using third-party applications that don't use bind variables you may want to consider setting the CURSOR_SHARING parameter, but this should not be considered a replacement for bind variables. The CURSOR_SHARING parameter is less efficient and can potentially reduce performance compared to proper use of bind variables.

SQL Injection

Concatenating strings together with user input to form an SQL statement is a classic way to allow an SQL injection attack against your system. If you use bind variables for user input, the statement can't be attacked with an SQL injection attack. The statement is fixed. Only the bind variable value changes.

If for some reason you can't use a bind variable, you must sanitise the user input. This can be done using the DBMS_ASSERT package, described here.

For more information see:

Hope this helps. Regards Tim...

Back to the Top.

Back to normal view: https://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables