Re: Protection from SQL injection

Hi,

>  > The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or
>  > by an administrator.
>  then it solves nothing...
>  what if the developer never SET ALLOW_LITERALS NONE

As I have said, the 'ALLOW_LITERALS NONE' mode is enabled by the
developer itself, or by an administrator. The developer may be lazy,
but the administrator can enforce this policy.

>  maybe i can inject "select * from tab where intcol = intcol; set
>  allow_literals all; add any query you want"

How do you inject this? How would the application looks like where
this can be injected?

Regards,
Thomas