David Litchfield's ongoing assault on Oracle ... or function on a vulnerable database. Instead, Litchfield argues, an attacker can inject a pre-compiled cursor into vulnerable PL/SQL objects.