G-9010: Always use a format model in string to date/time conversion functions.
Blocker
Changeability, Maintainability, Reliability, Security, Testability
Reason
Converting from strings to date
or timestamp
datatypes (using to_date
, to_timestamp
, to_timestamp_tz
or cast
to any of those datatypes) in practice always expects a fixed format (unlike converting to strings that can be fixed as well as allow the session to decide). Therefore it is a bad idea to allow this conversion to rely on the session NLS settings (nls_date_format
, nls_timestamp_format
and nls_timestamp_tz_format
) as this makes the code vulnerable to changes in session and/or server configuration. It is even possible to utilize session nls_date_format
for SQL injection if you use dynamic SQL.
Using an explicit format model for string to date
or timestamp
conversion avoids this inappropriate dependability on configurable NLS parameters.
Example (bad)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
Example (good)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|