It will not work if the user is not SA user or if the user's account does not have SA privileges

thank you for your answer. But you do not understand the question. It is not sql request, it is sql injection. You should not have admin rights) Do u see  "? Look wiki, please

i don't know a lot about oracl but what i know is that you must prepare the querry before executing it.

for example in php we do:

$sql->prepare("the query here")

and then mysql_execute(bla bla bla ....

this preparing will help you to avoid sql injection. (but i don't know how to do that in oracle).

If you directly bind the statements with front end, it will work.

You can avoid the SQL Injection by implementing Procedures.