I've never worked on sql server. If I get a chance I'll go through my old emails and find the exact system/db version/compiler where it happened. Ken From: Stephane Faroult [mailto:sfaroult@xxxxxxxxxxxx] Sent: Monday, May 02, 2011 5:27 PM To: Freek.DHooge@xxxxxxxxx Cc: Kenneth Naim; oratune@xxxxxxxxx; jkstill@xxxxxxxxx; 'Oracle-L Freelists' Subject: Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements Ken, I think that you are confusing with SQL Server. Oracle isn't that smart ;-). Stephane Faroult RoughSea Ltd <http://www.roughsea.com> Konagora <http://www.konagora.com> RoughSea Channel on Youtube <http://www.youtube.com/user/roughsealtd> On 05/02/2011 10:05 PM, D'Hooge Freek wrote: Kenneth, Are you sure about this? I thought I had seen a query when investigating a different problem, which had both "normal" bind variablen and system generated ones. I can't directly find the example again, but I will see if I can reproduce it. Regards, Freek D'Hooge Uptime Oracle Database Administrator email: freek.dhooge@xxxxxxxxx tel +32(0)3 451 23 82 http://www.uptime.be disclaimer: www.uptime.be/disclaimer --- From: Kenneth Naim [mailto:kennethnaim@xxxxxxxxx] Sent: maandag 2 mei 2011 21:35 To: oratune@xxxxxxxxx; D'Hooge Freek; jkstill@xxxxxxxxx; 'Oracle-L Freelists' Subject: RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements Another caveat with cursor sharing is if the application uses bind variables and literals in the same statement, the literals won't be replaced as the optimizer assumes the developer that choose to use bind variables was smart enough to use them everywhere they should be used. Ken -- //www.freelists.org/webpage/oracle-l _____ Checked by AVG - www.avg.com Version: 10.0.1325 / Virus Database: 1500/3610 - Release Date: 05/02/11 _____ Checked by AVG - www.avg.com Version: 10.0.1325 / Virus Database: 1500/3610 - Release Date: 05/02/11