“
The SQL statement is passed as a simple string. If user-controllable input is part of the string parameter, the application is probably vulnerable to SQL injection.
”
”
Dafydd Stuttard (The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws)