From oracle-l-bounce@freelists.org Mon Jan 10 10:31:38 2005 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id j0AGVPQ25911 for ; Mon, 10 Jan 2005 10:31:26 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id j0AGV2n25833 for ; Mon, 10 Jan 2005 10:31:04 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 9728B72C46B; Mon, 10 Jan 2005 11:37:30 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14371-58; Mon, 10 Jan 2005 11:37:30 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 6D0C772C750; Mon, 10 Jan 2005 11:35:50 -0500 (EST) Message-ID: <17ECCBDCF27C544583F2CAD928F953261A5413@memex1.corp.cefs.int> From: "Knight, Jon" To: oracle-l@freelists.org Subject: SQL Injection Concern Date: Mon, 10 Jan 2005 10:32:31 -0600 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-archive-position: 14534 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: jknight@concordefs.com Precedence: normal Reply-To: jknight@concordefs.com X-list: oracle-l X-Virus-Scanned: by amavisd-new at freelists.org We've got a table listing stored programs that need to execute after various application activity. My first thought is to just use "execute immediate" on the stored program. But this will allow anyone to insert a row into our table and execute arbitrary code. I'm interested in any suggestions or solutions you've implemented to tighten up security in such a situation. Thanks, Jon Knight Senior Database Analyst 2525 Horizon Lake Drive, Suite 120 Memphis, TN 38133 JKnight@concordefs.com 901.371.8000 - Phone 800.238.7675 - Phone 901.380.8336 - Fax www.FirstData.com First Data's merger with Concord creates "One Company" with enhanced choice, voice and innovation for all customers. -- http://www.freelists.org/webpage/oracle-l