Comments on: Oracle 11G: XMLQuery = eval

By: Laurent Schneider

Laurent Schneider — Tue, 31 Jul 2007 21:24:43 +0000

Andre,
On the other hand, 11g documented the DBMS_ASSERT package to prevent sql injection

By: Andre

Andre — Mon, 30 Jul 2007 23:14:23 +0000

I trust that 11g has a lot more attack surface than any other oracle version. EVAL functions are potential new sql injection opportunities, or am I wrong? Which would not make me happy, because I am not a pro hacker but a database customer.
Andre

By: Marco Gralike

Marco Gralike — Mon, 16 Jul 2007 00:28:17 +0000

Bases on Oracle 11g Beta autotrace output is as follows.

== First Time ==

Execution Plan
———————————————————-
Plan hash value: 1236776825

—————————————————————————–
| Id | Operation | Name | Rows | Cost (%CPU)| Time |
—————————————————————————–
| 0 | SELECT STATEMENT | | 1 | 2 (0)| 00:00:01 |
|* 1 | CONNECT BY WITHOUT FILTERING| | | | |
| 2 | FAST DUAL | | 1 | 2 (0)| 00:00:01 |
—————————————————————————–

Predicate Information (identified by operation id):
—————————————————

1 – filter(LEVEL

By: Marco Gralike

Marco Gralike — Mon, 16 Jul 2007 00:02:57 +0000

Nice post! I like it aswel. It gives and good example how you can use XMLDB functions in your day to day relational environment.

By: Laurent Schneider

Laurent Schneider — Sun, 15 Jul 2007 20:14:22 +0000

I like this!

By: Lucas Jellema

Lucas Jellema — Sat, 14 Jul 2007 18:24:08 +0000

You leave up it up to the reader to grasp the meaning of this – what the hack is an EVAL function. It is quite interesting of course: it allows in-place, immediate evaluation of dynamically constructed pieces of SQL – its like calling a PL/SQL function that uses EXECUTE IMMEDIATE or dbms_sql to process the string passed in and returns the result – without having to create the function.

Have you any comments on performance impact of using this eval wannabe?
Lucas