I became fully aware of SQL injection reading this comic strip some years after I have been working as a developer ( mostly pl/sql , and probably this is the reason why the strip was so funny for me)  :

Programming most of my code in pl/sql and always taking care to use bind variables in all the other languages I came across, I always considered my code  free from SQL-injection risks… this until last week.

Thank to a clever colleague of mine, last week,  I came across this interesting article of Tom Kyte where he talked about pivoting tables using dynamic SQL and I realized that there could be SQL-injection risks even in  pl/sql  (see here for official Oracle doc about it).

I seldom used dynamic SQL … especially using data in tables … but, honestly, I could not swear I never did it.

So welcome  dbms_assert package that will save us from “little Bobby Tables“!