> To destroy a database hacker only needs a username and password.

Sure, but that has nothing to do with execute statement. I don't
necessarily disagree with your desire to have the ability to switch it
off, but if I wanted to destroy a database and I had a valid username
and password, I would personally take the easier path or deleting from
some of the rdb$ tables, rdb$pages would be pretty much unrecoverable.

The trick is to not let users know their passwords. Giving your
application a wrapper around gsec and hashing their passwords first is
a good trick.

Adam