tag:blogger.com,1999:blog-13265058.post3374707734037145843..comments2011-09-18T07:50:28.153+10:00Gary Myershttps://profiles.google.com/116132019768637593422noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13265058.post-971180245938347442011-09-18T07:50:28.153+10:002011-09-18T07:50:28.153+10:00They love backwards compatibility too much to make it mandatory (especially for users of third party products). But you&#39;ve prompted the next blog post....<br /><br />I wouldn&#39;t be surprised if the next version includes a warning if the program unit uses dynamic SQL or anything else vulnerable to injection.Gary Myershttp://www.blogger.com/profile/10404756950638119562noreply@blogger.comtag:blogger.com,1999:blog-13265058.post-86165859816388981382011-09-17T20:44:16.321+10:002011-09-17T20:44:16.321+10:00Hi.<br /><br />Over the last few years the SQL injection and privilege escalation problems have forced Oracle themselves into using invoker rights on many internal packages. This should be a message to us that we need to think more seriously about it ourselves.<br /><br />I would not be overly disturbed if Oracle made this clause mandatory in future. If nothing else, people would be forced to understand the implications... :)<br /><br />I think people should leave the warnings on and add the clause to all their code. Of course, I&#39;ve not bothered to do that yet. :)<br /><br />Cheers<br /><br />Tim...Tim...http://www.blogger.com/profile/17721555946005999179noreply@blogger.com