Comments on: Oracle 11G: XMLQuery = eval https://technology.amis.nl/2007/07/14/oracle-11g-xmlquery-eval/ Friends of Oracle and Java Wed, 08 Jul 2015 07:37:03 +0000 hourly 1 http://wordpress.org/?v=4.2.3 By: Laurent Schneider https://technology.amis.nl/2007/07/14/oracle-11g-xmlquery-eval/#comment-4812 Tue, 31 Jul 2007 21:24:43 +0000 http://technology.amis.nl/blog/?p=2302#comment-4812 Andre,
On the other hand, 11g documented the DBMS_ASSERT package to prevent sql injection 😎

]]>
By: Andre https://technology.amis.nl/2007/07/14/oracle-11g-xmlquery-eval/#comment-4811 Mon, 30 Jul 2007 23:14:23 +0000 http://technology.amis.nl/blog/?p=2302#comment-4811 I trust that 11g has a lot more attack surface than any other oracle version. EVAL functions are potential new sql injection opportunities, or am I wrong? Which would not make me happy, because I am not a pro hacker but a database customer.
Andre

]]>
By: Marco Gralike https://technology.amis.nl/2007/07/14/oracle-11g-xmlquery-eval/#comment-4810 Mon, 16 Jul 2007 00:28:17 +0000 http://technology.amis.nl/blog/?p=2302#comment-4810 Bases on Oracle 11g Beta autotrace output is as follows.

== First Time ==

Execution Plan
———————————————————-
Plan hash value: 1236776825

—————————————————————————–
| Id | Operation | Name | Rows | Cost (%CPU)| Time |
—————————————————————————–
| 0 | SELECT STATEMENT | | 1 | 2 (0)| 00:00:01 |
|* 1 | CONNECT BY WITHOUT FILTERING| | | | |
| 2 | FAST DUAL | | 1 | 2 (0)| 00:00:01 |
—————————————————————————–

Predicate Information (identified by operation id):
—————————————————

1 – filter(LEVEL

]]>
By: Marco Gralike https://technology.amis.nl/2007/07/14/oracle-11g-xmlquery-eval/#comment-4809 Mon, 16 Jul 2007 00:02:57 +0000 http://technology.amis.nl/blog/?p=2302#comment-4809 Nice post! I like it aswel. It gives and good example how you can use XMLDB functions in your day to day relational environment.

]]>
By: Laurent Schneider https://technology.amis.nl/2007/07/14/oracle-11g-xmlquery-eval/#comment-4808 Sun, 15 Jul 2007 20:14:22 +0000 http://technology.amis.nl/blog/?p=2302#comment-4808 I like this!

]]>
By: Lucas Jellema https://technology.amis.nl/2007/07/14/oracle-11g-xmlquery-eval/#comment-4807 Sat, 14 Jul 2007 18:24:08 +0000 http://technology.amis.nl/blog/?p=2302#comment-4807 You leave up it up to the reader to grasp the meaning of this – what the hack is an EVAL function. It is quite interesting of course: it allows in-place, immediate evaluation of dynamically constructed pieces of SQL – its like calling a PL/SQL function that uses EXECUTE IMMEDIATE or dbms_sql to process the string passed in and returns the result – without having to create the function.

Have you any comments on performance impact of using this eval wannabe?
Lucas

]]>