Glen from our experience it isn't a sql injection issue. The ref cursor method we are using does not have the ability to do any data manipulation, just data querying. Which is great as I'd see injection as a huge hole in security too.

Other SAAS products such as Salesforce have specific sql query web services available. As does netsuite https://docs.oracle.com/cloud/latest/netsuitecs_gs/NSSAW/NSSAW.pdf Please clarify, is this for HCM only? or the entire cloud ERP range? Either way it is a huge lose of functionality. Are you able to provide a pathway…