SQL Injection
Definition
SQL injection is an attack technique in which malicious SQL code is entered into a web application's input field to gain unauthorised access to the underlying database.
In SQL injection, an attacker exploits insecure input handling in a web application. By embedding specially crafted SQL commands in forms or URL parameters, an attacker can manipulate database queries.
Consequences include reading all database data (including passwords), modifying or deleting records and, in some cases, executing operating system commands via the database.
SQL injection has been in the OWASP Top 10 for years. Defence consists of parameterised queries (prepared statements), input validation and regular code security reviews.