What is SQL injection and how to prevent it?

Short answer

SQL injection is an attack where malicious SQL code is inserted into application queries. It can read, modify, or delete database data and sometimes execute commands on the server.

How it works

Applications that build SQL queries by concatenating user input are vulnerable. An attacker enters input like ' OR '1'='1 to alter query logic. In severe cases, commands like DROP TABLE or data exfiltration via UNION SELECT succeed.

Example

A login query built as SELECT * FROM users WHERE username = ' + input + ' AND password = ' + input2 + ' can be bypassed by entering ' OR '1'='1 in the username field.

Why it matters

SQL injection has caused some of the largest data breaches in history. It exposes customer data, financial records, and intellectual property. Prevention is straightforward but requires developer discipline.