Reading through other programmers’ code I often discover interesting things that sometimes I find hard to explain. For example, consider the following simple PL/SQL block:

DECLARE CURSOR emp_cur IS SELECT first_name FROM employees WHERE […]

David Litchfield published a paper demonstrating how an unclosed or dangling cursor created and used by DBMS_SQL can lead to a security hole.

I ran his proof of this vulnerability on my Oracle Database 10g Express Edition database.

Connected as SYS:

SQL> CREATE OR REPLACE PROCEDURE pwd_compare(p_user VARCHAR) IS 2 cursor_name INTEGER; 3 […]

In this post I will show an example of how you can transform a query result into an XML document. I will also show how you can write a query that produces nested or multi-leveled XML document using cursor expressions.

So you have an Oracle function (not a procedure) that returns a REF CURSOR and you want to use that function in ColdFusion. That can be easily done using <cfstoredproc>. Here is an example: