Today I released a new whitepaper "Bypassing Oracle dbms_assert".
<SNIP>
Oracle has no problem with the release of this information
("Oracle sees no problem with your publication of the
white paper.")
The reason Oracle sees no problem with the release of the paper is that for
your technique to work the DBMS_ASSERT.QUALIFIED_SQL_NAME has to be used in
the wrong context; you simply wouldn't use QUALIFIED_SQL_NAME in this
manner - i.e. within quotes. I've just had a quick look through the SYS
packages and find no instance of DBMS_ASSERT.QUALIFIED_SQL_NAME being used
this way. If there is such a case, in other words I've missed it, then it
would be a flaw in the package/procedure/function itslef and not a problem
with DBMS_ASSERT - with the fix being to use the correct DBMS_ASSERT
function instead of QUALIFIED_SQL_NAME or alternatively use a bind variable.
Cheers,
David
