SQL Injection

SQL Injection is when someone finds a way to mess with an application’s database by sneaking harmful code into places where the app expects user input.

SQL Injection happens when an attacker enters malicious SQL code into a form, URL, or any field that interacts with a database, tricking it into doing something it wasn’t meant to—like giving away sensitive data or making changes to the database.

SQL Injection is a big deal because it’s one of the most common ways hackers can break into systems. If successful, it can lead to personal data leaks, account takeovers, or even complete deletion of data.

An attacker injects harmful SQL code into an input field (like a login form or search box) that isn’t properly secured. Instead of treating the input as plain text, the database runs it as a command, allowing the attacker to get inside or manipulate data.

1. Typing `'; DROP TABLE users;--` into a form could make the app delete the entire user database. 2. Entering `' OR '1'='1` in the username field might allow someone to bypass login without knowing the password. 3. In a search field, injecting `'; UPDATE accounts SET balance=0;--` could reset everyone’s account balance to zero.

SQL Injection usually happens when user input isn’t properly validated or sanitised. Developers can avoid this by using parameterised queries, prepared statements, and checking inputs carefully before letting them interact with the database.