I have data in a column like " *1*2*2* " this I want to multiply and convert into a number that is the result should be 4, how to do this please help me.
Code injection is a very real danger.
Dynamic PL/SQL can be used - and the dynamic PL/SQL expression can fairly easily be made a lot more restrictive ito code injection (e.g. using regular expressions for example to remove all valid stuff and see what is left and thus detecting "foreign code").
If dynamic SQL is the choice, one can do something along similar lines using UTL_XML.PaserQuery() and inpect the XML parse tree for injected object references (e.g. user defined PL/SQL function, tables or views other than DUAL, etc).
Also keep in mind that each such dynamic execution will very likely be a hard parse due the expression to evaluate, being unique.
The ideal would be a function that performs internally dynamic evaluation without having to run it via a dynamic cursor construct. This will protect the rest of the database as that evaluation's scope is local to that module only - and not able to access the SQL and/or PL/SQL engines with injected code.