A database application on the server side contains the programmable logic embedded within the PL/SQL packages and subprograms. These PL / SQL program units may contain SQL statements, which are intended to perform specific operations. The SQL statements, whose query text is built at runtime (dynamically derived) and based on client-supplied inputs, open ways for SQL injection. A malicious user can supply a manipulated input that can break through the PL/SQL program logic by replacing the SQL syntax and perform arbitrary execution.
The reason it is known as Injection is because the manipulated text, which replaces or appends to the original SQL text in a PL/SQL program unit, is parsed along with the original SQL statement. The undetected attacker's code is legally executed by the SQL engine, along with the original programmed SQL.
For example, a string type malicious input from the client is executed as legal code by the SQL engine; thus, exploiting a server-side SQL...