List, Here is a recent paper on how hackers can use the SQL injection technique. http://www.ngssoftware.com/papers/sqlinference.pdf The SQL Server example appears quite appaling, with a hacker being able to access the O.S. The Oracle example looks bad (select password from dba_users) on the surface, but an ordinary user shouldn't have that table and the password is encrypted anyway. Does anyone know if current versions of SQL Server are this vulnerable? Dennis Williams