I'm probing this system for SQL Injection and found out even using Parametrized Query, exactly as suggested by SQL Injection Prevention Cheat Sheet, it is still possible to execute SQL Injection!
VB.NET Code and Query:
Dim OleCommand As New OleDbCommand("SELECT name, age FROM people WHERE name LIKE '%' || ? || '%'", OleConnection)
OleCommand.Parameters.Add("name", OleDbType.VarChar).Value = txt_name.Text
Example of Injections used successfully:
' UNION ALL select banner,null from v$version --
' UNION ALL select username,null from ALL_USERS --
During all my researches (including some topics in Satckoverflow) I always read on how Parametrized Queries are enough to prevent SQL Injection, so I'm surprised it is not!
Can anyone please give me a detailed explanation on how and why is it possible?
Thank you in advance.
Well, It's embarrassing...
Actually the development team didn't deploy the fixed code correctly, so I was testing the old code, therefore, the vulnerability seemed to persist.
in short: above code is actually protected from SQL Injection!
Sorry for delay and thank you Wolf and Steve for your ideas.