Reposting, including Alberto's answer, now to the list. Of course, I forgot to hit the reply all again. I understand this can be achieved with dynamical SQL only. I just thought it might be right to post a little warning about SQL injection. Well documented this nice feature might act as a beautiful honeypot Best regards, Carel-Jan Engel === If you think education is expensive, try ignorance. (Derek Bok) === On Tue, 2007-03-27 at 23:23 +0200, Alberto Dell'Era wrote: > Yes, as any dynamic sql solution, but there's not other way > to do what the OP was asking for - and it is obviously a > proof-of-concept, not a ready-for-production solution. > > To iron the solution, one could, for example, install eval() > on a dedicated schema, without any privilege whatsoever > besides the one(s?) needed to read from dual (or maybe > even using a custom mydual and revoke the select priv from > dual, if possible), no object in the schema, etcetera; > maybe even logging any error in the alert log to catch > the hacker with his hands in the jar. But, those are trivial > tricks that anyone should immediately think about in a > knee-jerk reaction when stumbling on dynamic sql. > > (You have replied to me privately, not to the whole Oracle-L; > feel free to post this and your caveat on the list if you feel like) > > bye > Alberto > > > On 3/27/07, Carel-Jan Engel <cjpengel.dbalert@xxxxxxxxx> wrote: > > This is lovely for SQL injection attacks! > > On Tue, 2007-03-27 at 20:45 +0200, Alberto Dell'Era wrote: > > > I'do go with something like > > > > create or replace function eval (expr varchar2) > > return number > > deterministic > > <snip to avoid overquoting>