How to Write SQL Injection Proof PL/SQL
An internet search for "SQL Injection" gets about 4 million hits. The topic excites interest and superstitious fear. This whitepaper dymystifies the topic and explains a straightforward approach to writing database PL/SQL programs that provably guarantees their immunity to SQL injection. Only when a PL/SQL subprogram executes SQL that it creates at run time is there a risk of SQL injection; and one will see that it's easier than one might think to freeze the SQL at PL/SQL compile time. Then one will understand that one needs the rules which prevent the risk only for the rare scenarios that do require run-time-created SQL. It turns out that these rules are simple to state and easy to follow.