What Is SQL Injection?
SQL injection is a vulnerability class where untrusted input is improperly included in a database query, potentially allowing an attacker to view, modify, or delete data they should not have access to. This page explains the concept for awareness — it does not provide working exploit payloads.
Why It Happens
SQL injection typically occurs when user input is concatenated directly into a query string instead of being treated strictly as data.
conceptual — vulnerable pattern (illustrative only)
// Untrusted input mixed directly into a query string is risky
query = "SELECT * FROM users WHERE name = '" + userInput + "'";
conceptual — safer pattern using parameterization
// Parameterized queries keep data separate from query logic
query = "SELECT * FROM users WHERE name = ?";
execute(query, [userInput]);
Prevention Techniques
- Always use parameterized queries or prepared statements.
- Apply strict input validation on expected data formats.
- Use least-privilege database accounts for applications.
- Employ a web application firewall as an additional layer of defense.
- Keep database drivers and frameworks updated.
This tutorial is strictly educational and defensive. Testing for vulnerabilities should only be done on systems you own or have explicit written authorization to test.