What is SQL injection?

SQL injection is a technique where users can inject SQL commands into an SQL statement, via web page input. The injected SQL commands can alter SQL statement leading to security issues.

Consider a webpage which allows a user to input User ID and retrieve user data.

Now if a user enters the ‘UserId’ as 500 or 1=1, the SQL would get translated to SELECT * FROM Users WHERE UserId = 500 or 1=1.

The above SQL would retrieve all rows from the Users table where 1=1 is true.

This would allow someone to get hold of all the users data such as passwords.

There are other ways to do the same and ways to protect against it as well.