SQL Injection in SQL
Vulnerable Examples
PL/SQL
Oracle offers more than one way to concatenate potentially dangerous strings to execute SQL queries.
EXECUTE IMMEDIATE 'SELECT id FROM db.Table WHERE phone = ''' || p_phone || '''';
OPEN selection_table FOR 'SELECT id FROM db.Table WHERE phone = ''' || p_phone || '''';
FETCH selection_table INTO v_selected_id;
T-SQL
The T-SQL command sp_executesql
executes a Transact-SQL statement from a Unicode string.
SET @SQLString = N'SELECT id FROM db.Table WHERE phone = '''+ @P_PHONE+'''';
EXECUTE sp_executesql @SQLString;
References
CWE - CWE-89: Improper Neutralization of Special Elements used in an SQL Command
OWASP - SQL Injection Prevention Cheat Sheet