Using Lateral SQL Injection, an attacker can exploit a PL/SQL procedure that does not even take user input. When a variable whose data type is date or number is concatenated into the text of a SQL statement, then, contrary to popular belief, there still is a risk of injection. The implicit function TO_CHAR() can be manipulated by using NLS_Date_Format or NLS_Numeric_Characters, respectively. You can include arbitrary text in the format model, and you do not need to include any of the “structured” elements such as Mon, hh24, and so on. Here's the “normal” use of that flexibility:
SQL> SET SERVEROUTPUT ON
SQL> ALTER session SET NLS_Date_Format = '"The time is"... hh24:mi'
2 /
Session altered.
SQL> SELECT TO_CHAR(SYSDATE) d FROM Dual
2 /
D
--------------------
The time is... 19:49
SQL> DECLARE
2 d DATE := TO_DATE('The time is... 23:15');
3 BEGIN
4 -- Implicit To_Char()
5 DBMS_OUTPUT.PUT_LINE(d);
6 END;
7 /
The time is... 23:15
PL/SQL procedure successfully completed.
