Lateral SQL injection in Oracle
David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn't even take user input!
The trick is to apply an ''ALTER SESSION SET NLS_DATE_FORMAT'' command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ''DATE'' (even though it is not).
=== For more information ===
~ Lateral SQL Injection: A New Class of Vulnerability in Oracle
http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf