Alex has produced a detailed analysis of the "SQL injection bug via mod_plsql" on his website. Alex took almost all of the information in his analysis from the mod_plsql log file. It took Alex only a few minutes in modplsql debug mode to work out how to exploit this bug. This is actually very easy to exploit and in fact the biggest clue to how to exploit this is in Davids post to bugtraq. This is an un-fixed bug and quite serious due to it being internet facing. David's suggestions to use mod_rewrite rules are good but as Alex points out this may not work in older versions due to it being legal to use URL's with function names with brackets.