tag:blogger.com,1999:blog-13265058.post3374707734037145843..comments2023-10-28T23:33:56.980+11:00Comments on Sydney Oracle Lab: WARNING, WARNING, DANGER, DANGER !SydOraclehttp://www.blogger.com/profile/08828771074492585943noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13265058.post-971180245938347442011-09-18T07:50:28.153+10:002011-09-18T07:50:28.153+10:00They love backwards compatibility too much to make...They love backwards compatibility too much to make it mandatory (especially for users of third party products). But you've prompted the next blog post....<br /><br />I wouldn't be surprised if the next version includes a warning if the program unit uses dynamic SQL or anything else vulnerable to injection.sydoraclehttps://www.blogger.com/profile/10404756950638119562noreply@blogger.comtag:blogger.com,1999:blog-13265058.post-86165859816388981382011-09-17T20:44:16.321+10:002011-09-17T20:44:16.321+10:00Hi.
Over the last few years the SQL injection and...Hi.<br /><br />Over the last few years the SQL injection and privilege escalation problems have forced Oracle themselves into using invoker rights on many internal packages. This should be a message to us that we need to think more seriously about it ourselves.<br /><br />I would not be overly disturbed if Oracle made this clause mandatory in future. If nothing else, people would be forced to understand the implications... :)<br /><br />I think people should leave the warnings on and add the clause to all their code. Of course, I've not bothered to do that yet. :)<br /><br />Cheers<br /><br />Tim...Tim...https://www.blogger.com/profile/17721555946005999179noreply@blogger.com