Oracle Security Specialist, Alex Kornbrust, demonstrated that there are certain cases where the use of the DBMS_ASSERT.QUALIFIED_SQL_NAME function can be unintentionally misused by developers so that SQL injection is still possible and showing a way to break out of a quoted string to inject arbitrary SQL.
This paper will explore another occasion where using the same function can also allow an attacker to inject arbitrary SQL. The problem arises when the QUALIFIED_SQL_NAME function is used to validate a column name in a select list or where clause for example.