Sat 6 Feb 2010
So, what can we learn from the error?
- SF uses Java as a backend
- SF uses Oracle as the database
- The application is programmed using stored program units – in this case package sLead with procedure update_leads
- Checks are performed at the PL/SQL level and custom exceptions are being thrown – ORA-20096
- The Java application uses bind variables to call into the PL/SQL layer – good for them!
- My guess is that the username/schema for this particular SF account is SNEEZY and it contains Oracle types with the names CUSER and SLEAD
All in all, I’d say that SF did a good, secure job in implementing the application (bind variables, etc.) but missed the “never return DB errors to the customer” part.
So, what will it take to educate developers not to display errors? Thoughts?