--- hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java.orig	2007-10-19 13:25:36.000000000 -0400
+++ hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java	2007-10-23 14:54:25.000000000 -0400
@@ -44,6 +44,7 @@ import org.hsqldb.lib.Set;
 import org.hsqldb.lib.SimpleLog;
 import org.hsqldb.lib.java.JavaSystem;
 import org.hsqldb.store.ValuePool;
+import org.hsqldb.lib.StringUtil;
 
 /**
  * Manages a .properties file for a database.
@@ -53,6 +54,53 @@ import org.hsqldb.store.ValuePool;
  * @since 1.7.0
  */
 public class HsqlDatabaseProperties extends HsqlProperties {
+    private static String hsqldb_method_class_names =
+        "hsqldb.method_class_names";
+    private static HashSet accessibleJavaMethodNames;
+
+    static {
+        try {
+            String prop = System.getProperty(hsqldb_method_class_names);
+
+            if (prop != null) {
+                accessibleJavaMethodNames = new HashSet();
+
+                String[] names = StringUtil.split(prop, ";");
+
+                for (int i = 0; i < names.length; i++) {
+                    accessibleJavaMethodNames.add(names[i]);
+                }
+            }
+        } catch (Exception e) {}
+    }
+
+    /**
+     * If the system property "hsqldb.method_class_names" is not set, then
+     * static methods of all available Java classes can be accessed as functions
+     * in HSQLDB. If the property is set, then only the list of semicolon
+     * seperated method names becomes accessible. An empty property value means
+     * no class is accessible.<p>
+     *
+     * All methods of org.hsqldb.Library are always accessible.
+     *
+     *
+     */
+    public static boolean supportsJavaMethod(String name) {
+
+        if (name.startsWith("org.hsqldb.Library")) {
+            return true;
+        }
+
+        if (accessibleJavaMethodNames == null) {
+            return true;
+        }
+
+        if (accessibleJavaMethodNames.contains(name)) {
+            return true;
+        }
+
+        return false;
+    }
 
     // column number mappings
     public static final int indexName         = 0;
--- hsqldb/src/org/hsqldb/Database.java.orig	2007-10-19 13:24:32.000000000 -0400
+++ hsqldb/src/org/hsqldb/Database.java	2007-10-23 14:55:07.000000000 -0400
@@ -473,12 +473,19 @@ public class Database {
      *  the given method alias. If there is no Java method, then returns the
      *  alias itself.
      */
-    String getJavaName(String s) {
+    String getJavaName(String name) throws HsqlException {
 
-        String alias = (String) hAlias.get(s);
+        String target = (String) hAlias.get(name);
 
-        return (alias == null) ? s
-                               : alias;
+        if (target == null) {
+            target = name;
+        }
+
+        if (HsqlDatabaseProperties.supportsJavaMethod(target)) {
+            return target;
+        }
+
+        throw Trace.error(Trace.ACCESS_IS_DENIED, target);
     }
 
     /**