SQL injection vulnerability in SQL based reports

SQL injection vulnerability in SQL based reports

Hello,

I wanted to ask if the build in SQL drivers does allow Non-Select Statements and is it possible to block it, like in Qlik Sense.
Is there a theoretical vulnerability, that using a paramater in a report or task, that is later used as part of SQL query, a user can inject an unwanted code into the query like a drop table command?

Best Regards
Mateusz