I saw Dougs post tonight titled "Something Else I Didn't Know
" that talks about the fact that SQL scripts can be executed not just from scripts on the file system but also from URL's. I was aware of this feature and the fact that it is not well known. This feature is a security risk as it means that cross site scripting could be possible against a database using SQL. It could also be possible to use dns spoofing to trick an existing set up that uses SQL*Plus with URL located files to execute other files. I can also conceive of ways that a hacker could get access to SQL*Plus on the server remotely and get it to run an external script located on his own site. This is in cases where the database is behind a firewall and not normally accessible to users who wish to run SQL*Plus.
Think carefully about using this feature and its implications.