You Asked
I would like to know more about sql injection. Why is it so hard to tell to the Oracle that a certain string is a parameter and not a part of a Sql command? For example, can a person call himself Delete and his name can not be used in a search? And if you need to use the characters '--' in a text, that will be a problem to a sql command?
Thanks
and Connor said...
Why is it so hard to tell to the Oracle that a certain string is a parameter and not a part of a Sql command?
Not sure what you mean by "hard" ? You bind a variable and you're done!
This isn't an Oracle issue at all - it is a *coding* issue, ie, if you let people build their own SQL's (or you as a developer let people do it via your application) then you're going to get hacked.
Have a watch of this...it's fun, entertaing and great outline of the risks of SQL injection
Is this answer out of date? If it is, please let us know via a Comment