Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Execute some basic math in a single SQL

Re: Execute some basic math in a single SQL

From: Carel-Jan Engel <>
Date: Tue, 27 Mar 2007 23:29:12 +0200
Message-Id: <>

Reposting, including Alberto's answer, now to the list. Of course, I forgot to hit the reply all again.

I understand this can be achieved with dynamical SQL only. I just thought it might be right to post a little warning about SQL injection.
Well documented this nice feature might act as a beautiful honeypot

Best regards,

Carel-Jan Engel

If you think education is expensive, try ignorance. (Derek Bok) ===

On Tue, 2007-03-27 at 23:23 +0200, Alberto Dell'Era wrote:

> Yes, as any dynamic sql solution, but there's not other way
> to do what the OP was asking for - and it is obviously a
> proof-of-concept, not a ready-for-production solution.
> To iron the solution, one could, for example, install eval()
> on a dedicated schema, without any privilege whatsoever
> besides the one(s?) needed to read from dual (or maybe
> even using a custom mydual and revoke the select priv from
> dual, if possible), no object in the schema, etcetera;
> maybe even logging any error in the alert log to catch
> the hacker with his hands in the jar. But, those are trivial
> tricks that anyone should immediately think about in a
> knee-jerk reaction when stumbling on dynamic sql.
> (You have replied to me privately, not to the whole Oracle-L;
> feel free to post this and your caveat on the list if you feel like)
> bye
> Alberto
> On 3/27/07, Carel-Jan Engel <> wrote:
> This is lovely for SQL injection attacks!
> On Tue, 2007-03-27 at 20:45 +0200, Alberto Dell'Era wrote:
> > I'do go with something like
> >
> > create or replace function eval (expr varchar2)
> > return number
> > deterministic
> <snip to avoid overquoting>

Received on Tue Mar 27 2007 - 16:29:12 CDT

Original text of this message