who_can_access: Release 18.104.22.168.0 - Production on Mon Aug 15 21:47:36 2005
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.
NAME OF OBJECT TO CHECK [USER_OBJECTS]: UTL_HTTP
OWNER OF THE OBJECT TO CHECK [USER]: SYS
OUTPUT METHOD Screen/File [S]: S
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]:
EXCLUDE CERTAIN USERS [N]:
USER TO SKIP [TEST%]:
Checking object => SYS.UTL_HTTP
Object type is => PACKAGE (TAB)
Privilege => EXECUTE is granted to =>
Role => PUBLIC (ADM = NO)
PL/SQL procedure successfully completed.
For updates please visit http://www.petefinnigan.com/tools.htm
As we can see on this sample database execute privilege has been granted to PUBLIC.
Robert shows a very nice example of how stock quotes can be extracted from Yahoo Finance and inserted into the database using this package. I liked his example as it shows a real world case of how you can access external data and read it in. Remember that this package can also be used in the opposite direction and data can be extracted from the database. Also it can be used to load and run hacker SQL or PL/SQL scripts that are stored on an external web site. Beware of default privileges and useful functionality.