Use bind variables. That will greatly reduce or eliminate the chance of SQL injection with 'execute immedate'. On Mon, 10 Jan 2005 10:32:31 -0600, Knight, Jon <jknight@xxxxxxxxxxxxxx> wrote: > We've got a table listing stored programs that need to execute after > various application activity. My first thought is to just use "execute > immediate" on the stored program. But this will allow anyone to insert a > row into our table and execute arbitrary code. I'm interested in any > suggestions or solutions you've implemented to tighten up security in such a > situation. > -- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist -- //www.freelists.org/webpage/oracle-l