SQL injection occurs when an attacker inserts malicious SQL statements into application input fields, such as login forms or search boxes. If the application concatenates user input directly into SQL queries without proper validation or parameterised statements, the database will execute the attacker's code alongside the legitimate query.
Common attack scenarios include:
- Bypassing login screens by inserting SQL that always evaluates to true
- Extracting sensitive data like customer records, passwords, or payment information
- Modifying or deleting database contents
- Executing administrative operations on the database server
Why this matters: SQL injection ranks among the most dangerous web vulnerabilities because databases typically store an organisation's most sensitive information. A successful attack can lead to complete data breach, regulatory fines, reputational damage, and service downtime.
How to protect against it: developers should use parameterised queries (prepared statements) that separate SQL code from user input. Input validation, whitelisting allowed characters, and principle of least privilege for database user accounts all reduce risk. Regular security audits and penetration testing help identify vulnerable code before attackers do.
If you're buying software or web services, ask vendors about their security practices, particularly whether they use parameterised queries and conduct regular security testing. Open-source projects with active maintenance communities tend to patch vulnerabilities faster than abandoned software.