SQL Injection in Oracle

• SQL Injection is a technique for maliciously exploiting applications that use client-supplied data in SQL statements.
• Attackers trick the SQL engine into executing unintended commands via supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.
• SQL Injection techniques may differ, but they all exploit a single vulnerability in the application.
• String literals that are incorrectly validated or not validated are concatenated into a dynamic SQL statement and interpreted as code by the SQL engine.
• To immunize your code against SQL injection attacks, you must use bind arguments i.e. either automatically with static SQL, or explicitly with dynamic SQL or validate all input concatenated to dynamic SQL.
• A program or an application may be vulnerable to SQL Injection
• Web applications are at a higher risk, because an attacker can perpetrate SQL injection attacks without any database or application authentication.