If I have a valid SQL string; I can still execute it in my PL / SQL, but I guarantee that it is a SELECT statement only ... without complicated parsing to make sure it does not have any escape characters / nested commands or any of these jazz?
EDIT:
What I'm really trying to accomplish is a generic query tool built into my application. It has a friendly, domain-specific graphical interface and allows a very non-technical user to create fairly complex queries. The tool handles version search, adds internal joins where necessary, and some other applications that you will not find in a typical SQL DEV tool.
The application successfully creates an SQL query. The problem is that I also allow users to directly enter their own SQL. I am worried about potential issues like SQL injection.
I am not sure if this is the right place; but in addition to the question - if anyone could recommend a good Oracle book that would make me deal with such things - I would really admit it to her.
source
share