and be wary of any dynamic SQL! :-) That execute immediate stuff scares the willies out of me! :) Robert G. Freeman Author: Oracle Database 11g New Features (Oracle Press) Portable DBA: Oracle (Oracle Press) Oracle Database 10g New Features (Oracle Press) Oracle9i RMAN Backup and Recovery (Oracle Press) Oracle9i New Feature Blog: http://robertgfreeman.blogspot.com (Oracle Press) ----- Original Message ---- From: David Aldridge <david@xxxxxxxxxxxxxxxxxx> To: oracle-l@xxxxxxxxxxxxx Sent: Sunday, April 27, 2008 7:12:24 PM Subject: Re: New form of sql injection hack documented So long story short ... use bind variables? ----- Original Message ---- From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS@xxxxxx> To: oracle-l@xxxxxxxxxxxxx Sent: Friday, April 25, 2008 10:07:39 AM Subject: New form of sql injection hack documented FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction. it's an interesting read. http://www.davidlitchfield.com/blog/archives/00000041.htm ---- Matt Adams - GE Consumer and Industrial Database Administration It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa