What is SQL Injection?
SQL injection (SQLi) is an app security weakness that allows attackers to control an app database – allowing them to access or delete data, changing app-driven data behavior. , and do other undesirable things – by tempting the app into unexpected SQL commands. SQL injection is among the most frequent threats to data security.
SQL injection vulnerabilities occur when an application uses untrusted data, such as data entered into web form fields, as part of a database query. When an application fails to properly clean up this unreliable data before adding a SQL query, an attacker can invoke their own SQL commands that execute the database. Such SQLi sensitivity is easy to prevent, but SQLi is still a major web application vulnerability, and many organizations are still exposed to data breaches that can be destructive due to SQL injection.
Attackers provide information specially designed to trick an application into modifying the SQL queries that the application requests from the database to run. This allows the attacker to:
Control the behavior of the application that is based on the data in the database, for example, tricking an application into allowing a login without a valid password.
Altering data in the database without authorization, for example creating fraudulent records, adding users, or “promoting” users to higher levels of access, or deleting data.