As in wwv_execute_immediate, perhaps. Niall On Mon, Apr 28, 2008 at 5:40 AM, Robert Freeman <robertgfreeman@xxxxxxxxx> wrote: > and be wary of any dynamic SQL! :-) That execute immediate stuff scares > the willies out of me! :) > > Robert G. Freeman > Author: > Oracle Database 11g New Features (Oracle Press) > Portable DBA: Oracle (Oracle Press) > Oracle Database 10g New Features (Oracle Press) > Oracle9i RMAN Backup and Recovery (Oracle Press) > Oracle9i New Feature > Blog: http://robertgfreeman.blogspot.com (Oracle Press) > > ----- Original Message ---- > From: David Aldridge <david@xxxxxxxxxxxxxxxxxx> > To: oracle-l@xxxxxxxxxxxxx > Sent: Sunday, April 27, 2008 7:12:24 PM > Subject: Re: New form of sql injection hack documented > > So long story short ... use bind variables? > > ----- Original Message ---- > From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS@xxxxxx> > To: oracle-l@xxxxxxxxxxxxx > Sent: Friday, April 25, 2008 10:07:39 AM > Subject: New form of sql injection hack documented > > FYI > > yesterday, david litchfield released a paper describing how a sql > injection attack could be done on a pl/sql routine that does dynamic > statement creation, even if the routine has no parameters and no user > interaction. > > it's an interesting read. > > *http://www.davidlitchfield.com/blog/archives/00000041.htm*<http://www.davidlitchfield.com/blog/archives/00000041.htm> > > ---- > Matt Adams - GE Consumer and Industrial > Database Administration > It will make sense as soon as you stop thinking logically > and start thinking oracle-ly. - Jim Droppa > > -- Niall Litchfield Oracle DBA http://www.orawin.info