ABSTRACT

Functions that cannot be used safely should never be used.

EXPLANATION

DBMS_UTILITY.EXEC_DDL_STATEMENT will only execute statements classified as part of the Data Definition Language. Other statements not supported by embedded SQL will be silently ignored. This behavior makes it difficult to detect errors when using the procedure.

REFERENCES

[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 242

[2] How to write SQL injection proof PL/SQL