Jon, Yes that is a concern. In our case data that goes into a table is only data to be passed to the procedure, not part of an execute immediate.=20 Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -----Original Message----- From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx]=20 Sent: Monday, January 10, 2005 11:33 AM To: oracle-l@xxxxxxxxxxxxx Subject: SQL Injection Concern We've got a table listing stored programs that need to execute after various application activity. My first thought is to just use "execute immediate" on the stored program. But this will allow anyone to insert a row into our table and execute arbitrary code. I'm interested in any suggestions or solutions you've implemented to tighten up security in such a situation. Thanks, Jon Knight Senior Database Analyst 2525 Horizon Lake Drive, Suite 120 Memphis, TN 38133 JKnight@xxxxxxxxxxxxxx 901.371.8000 - Phone 800.238.7675 - Phone 901.380.8336 - Fax www.FirstData.com First Data's merger with Concord creates "One Company" with enhanced choice, voice and innovation for all customers. -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l