Document Type


Publication Date



SQL injection, database vulnerabilities, stored procedure vulnerabilities, computer security


Structured Query Language (SQL) injection is one of the most devastating vulnerabilities to impact a business, as it can lead to the exposure of sensitive information stored in an application’s database. SQL Injection can compromise usernames, passwords, addresses, phone numbers, and credit card details. It is the vulnerability that results when an attacker achieves the ability to influence SQL queries that an application passes to a back-end database. The attacker can often leverage the syntax and capabilities of SQL, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database to compromise the web application. In this article we demonstrate two non-web based SQL Injection attacks one of which can be carried out by executing a stored procedure with escalating privileges. We present the unique way in which Oracle handles single and double quotes in strings because, as shown in this paper, this is one of the features of the language that can be exploited in the construction of an injection attack. Recommendations on how to resolve these vulnerabilities are proposed.


Faculty of Applied Science & Technology


School of Applied Computing


International Journal on Computer Science and Engineering (IJCSE)


Publisher's version

Peer Reviewed/Refereed Publication


Terms of Use

Terms of Use for Works posted in SOURCE.

Creative Commons License

Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Original Publication Citation

Ansari, S., & Sykes, E. R. (2012). SQL Injection in ORACLE: An exploration of vulnerabilities. International Journal on Computer Science and Engineering, 4(4), 522-531. Retrieved from


GOAL 9: Industry, Innovation and Infrastructure

click icon to learn more