Hi, You might be interested in the two part paper I wrote about SQL Injection in Oracle. You can find them at http://www.petefinnigan.com/orasec.htm - I have also talked about SQL injection a few times in my Oracle security weblog - you can find the links on my archive page http://www.petefinnigan.com/weblog/archives/ - There is also a search box on there. The issue of making a table truly read only was done to death a couple of months or so ago on one of the lists - I think c.d.o.s - Howard wrote a paper about it as well - which you can find at http://www.dizwell.com/ html/read-only_tables.html - I also talked about this subject again in my Oracle security weblog. What is the solution? - As Jared suggests bind variables are a great step forwards. Do not allow anyone to insert text that can be added to a dynamic SQL statement - filter any input or updates to the table in question - although this is usually futile as its virtually impossible to filter for bad input as the known list of "bad things" can easily be added to by creative people. It is better to concentrate on a "white" list of "good" input. i.e. clearly design allowed statements and ensure that input matches the rules. hope this helps a bit Kind regards Pete -- Pete Finnigan (email:pete@xxxxxxxxxxxxxxxx) Web site: http://www.petefinnigan.com - Oracle security audit specialists Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- //www.freelists.org/webpage/oracle-l