Hello all, Both DBMS_XMLSTORE and DBMS_XMLSAVE have functions that can be used as auxiliary injection functions in a PL/SQL injection attack. Consider revoking the execute permission from public to help prevent abuse. Details in the paper: http://www.davidlitchfield.com/DBMS_XMLSTORE_PLSQL_Injection.pdf Cheers, David