• Suppose you have a Web-based application which stores usernames alongside other session information. Given a session identifier such as a cookie you want to retrieve the
    current username and then use it in turn to retrieve some user information. You might therefore have code for an "Update User Profile" screen somewhat similar to the following:

    execute immediate 'SELECT username FROM sessiontable WHERE session
    ='''||sessionid||'''' into username;

    execute immediate 'SELECT ssn FROM users WHERE
    username='''||username||'''' into ssn;

    This will be injectable if the attacker had earlier on the "Create Account" screen created a username such as:
    XXX' OR username='JANE

    Which creates the query:
    SELECT ssn FROM users WHERE username='XXX’ OR username='JANE'

    If the user XXX does not exist, the attacker has successfully retrieved Jane’s social security number.

  • The attacker can create malicious database objects such as a function called as part of an API, or a maliciously named table by using double quotation marks to introduce dangerous constructs.

    For example, an attacker can create a table using a table name such as "tab') or 1=1--", which can be exploited later in a second order SQL injection attack.