Sandra > They refuse to even look at the statement because > it is dynamically created in the application using javaScript. That's the best part. Try to read on how easily one can tweak client-side scripting, lecture somebody high enough in the hierarchy on SQL injection, and I think that your application will be changed very fast. HTH, S Faroult -- //www.freelists.org/webpage/oracle-l