in the case you have, there's no need for dynamic sql:
open o_cursor for
select sr.name, sr.bonus
from sales_staff sr
inner join product p
on p.sales_staff_id = sr.staff_id
where p.product_no = product_no;
if you were using dynamic SQL then ideally you would in most cases want to bind:
open o_cursor for
'select sr.name, sr.bonus
from sales_staff sr
inner join product p
on p.sales_staff_id = sr.staff_id
where p.product_no = :b1' using product_no;
failing that (edge cases, sometimes you want to avoid bind variables for skewed data), varchar2s need enclosing in quotes:
open o_cursor for
'select sr.name, sr.bonus
from sales_staff sr
inner join product p
on p.sales_staff_id = sr.staff_id
where p.product_no = ''' ||product_no||'''';
but you should escape single quotes and validate that product_no has no semi colons etc (i.e. careful of SQL injection)