Bert Wagner explains what he calls second-order SQL injection attacks:
SQL injection attacks that delay execution until a secondary query are known as “second order”.
This means a malicious user can inject a query fragment into a query (that’s not necessarily vulnerable to injection), and then have that injected SQL execute in a second query that is vulnerable to SQL injection.
Let’s look at an example.
Another way of thinking about this is a persisted SQL injection attack, akin to reflected versus persisted cross-site scripting attacks. The fix is, don’t trust unsanitized user input. Just because you put a user’s data into your database doesn’t mean that someone sanitized it, so treat that stuff as unsafe unless you know otherwise.