Using SQL injection, a hacker can pass string input to an application in hopes of gaining unauthorized access to a database. Here is a nice tutorial about this subject and how to prevent it. It shows also the use of the undocumented (in 10g not in 11g) dbms_assert Package.
Tutorial
