Non-web SQL Injection

you never know when bobby tables is going to use your word macro:

xkcd


If you're building SQL in your macro, it's vulnerable to SQL injection. Even if you trust the people who will be using the thing, you should at least watch for the basics, like people trying to put single-quote and semicolon characters into database fields. this isn't so much a security issue in your case as just data validation.


SQL Injection is not just a security threat, it is a very real source of bugs too.

Are you sure that none of your records will ever have an apostophe (') in them?

INSERT INTO NAMES (FIRSTNAME, LASTNAME) VALUES('Jack', 'O'Neill')

In this case, you have a bug even though nobody wanted to crack your system.