i was under the impression(apparently wrong) that if you use bind variables, sql injection wont work. the only way i know to get sql injection to work is to dummy up the quotes to manipulate the where clause? -------------- Original message -------------- > Hi Ruth, > > This is related to the first quarterly patch set release. NGS are > probably one of many researchers who have found security bugs that -- //www.freelists.org/webpage/oracle-l