Oracle Forms SQL Injection

As Oracle Form user, we always like to query record using the "query mode" button. A wonder button with a picture of database and question mark. But often, most of the people don't know that there is an ancient feature behind called "Query/Where" that allows users to modify existing SQL statements. This is an feature which is built with wonderful purpose but dangerous due to the fact that all forms user can use it to execute arbitrary SQL statements.This function available for Oracle Forms versions 3.0 up to 10g.

Short demonstration of Oracle Forms SQL Injection:
1. Start a Forms module and switch to the query mode
2. Enter a colon ( : ) or ampersand ( & )
3. An empty Query/Where windows will pops up
4. Inject your SQL statement

Example:
My data block is querying data from SUBJECT table.
The normal data block query will be "select subject_code, subject_description from subject".
if i put the data column into query mode then place ":" or "&" and execute the query. A blank box will comes out. Then i enter "subject_code = '%') union select table_name, null from user_tables--". Once i click on "OK", all table name is shown on the subject code column.

Suggestion of Solution:
1. Disable "query allow" for all data block columns which appear on the form
2. Set environment variable FORMSxx_RESTRICT_ENTER_QUERY=true (FORMS60_RESTRICT_ENTER_QUERY for Forms 6.x, FORMS90_RESTRICT_ENTER_QUERY for Forms 9.x/10g)
3. Use PRE_QUERY/ON-ERROR-trigger to detect sql injection