SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. It is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. SQL injection must exploit a security vulnerability in an applications software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
SQL injection usually occurs when a user is asked for input, like their username/userid, and instead of a name/id, the user gives an SQL statement that will unknowingly run on the database. For example, a hacker might get access to all the user names and passwords in a database by simply inserting 105 OR 1=1 into the input field.
To prevent SQL injection attacks, parameterized statements that work with parameters can be used instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value.
In summary, SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database by inserting malicious SQL code into an application. It can be prevented by using parameterized statements that work with parameters instead of embedding user input in the statement.
