This is something I always knew, but I was looking up how the handle to the XML is managed in Windows and also if it's a special version of MSXML used. Looking this stuff up I found a stern warning
Quote:
|
OpenXML allows the row and column XPath patterns to be parameterized as variables. Such parameterization could lead to XPath expression injections, if the programmer exposes the parameterization to outside users (for example, if the parameters are provided via an externally called stored procedure). To avoid such potential security issues, it is recommended that XPath parameters should never be exposed to external callers.
|
ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/060126fc-ed0f-478f-830a-08e418d410dc.htm
Figured I'd share that with people in the friendly database forum. That's for Microsoft's SQL Server of course but the concept applies across the board. Oracle might even need more care because it's more powerful with XML. |
