Application SecurityAlso called: "sqli", "sql attack"
SQL injection occurs when user input is concatenated directly into SQL queries.
How attacks work
- Attacker enters malicious SQL in input fields.
- Application executes the attacker's code against the database.
- Results can include data theft, deletion, or authentication bypass.
Example vulnerable code
SELECT * FROM users WHERE username = '$input';
-- Input: ' OR '1'='1
-- Result: SELECT * FROM users WHERE username = '' OR '1'='1';
Prevention
- Use parameterized queries (prepared statements).
- Validate and sanitize all user input.
- Apply principle of least privilege to database accounts.
- Implement web application firewalls (WAFs).