David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn’t even take user input!
The trick is to apply an ”ALTER SESSION SET NLS_DATE_FORMAT” command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ”DATE” (even though it is not).
=== For more information ===
~ Lateral SQL Injection: A New Class of Vulnerability in Oracle