GLOSSARY / SQL Injection
What is SQL Injection?
A web vulnerability where attacker-controlled input is concatenated into a database query, letting them read, modify, or destroy data.
When an application builds SQL by gluing user input into the query string, an attacker can inject syntax like ' OR 1=1-- to bypass authentication, dump tables, or even execute commands. It maps to CWE-89.
It remains one of the most damaging and common web flaws despite being trivially preventable.
How to defend
Always use parameterized queries / prepared statements; never concatenate user input into SQL. Apply least-privilege database accounts.
Related free tools
Related terms
Part of the Ciphers Security glossary. Free reference for analysts, defenders & learners.