SQL Injection

SQLInjectionConcept http://en.wikipedia.org/wiki/SQL_injection

SqlServer

One wants to load a customer based on given name. If the name match provided is like "Ashok Kumar';delete from Transactions--", the whole statement would be executed. This would result in, all transactions getting deleted from the database. This is illustrated in executeUsingStatement test. If one uses Prepared Statement this is avoided, as in executeUsingPreparedStatement test.

Oracle

Executing another command by changing the parameter value is not possible in oracle. Oracle throws SQLException when one tries to do that (executingAnotherCommandNotPossibleInOracle test). But one can load lot more rows than intended changing the parameter as "Ashok Kumar' or '1' = '1".