cybersecurity Glossary

What is SQL Injection?

An SQL Injection is a security flaw present in many Web applications that allows the execution of arbitrary SQL queries. The term injection comes from the possibility of adding additional content to that SQL statement.

The origin of this flaw is that a vulnerable web application makes use of data provided by a user, for example, through a form, to perform a query operation in a database. If the mechanism to carry out this query is not in charge of adequately filtering the data entered by a user, there is a risk that the SQL statement to be executed will be altered by database engine control characters such as the case of single or double quotation marks.

To avoid this problem, you must use a web framework that includes security measures or make use of secure mechanisms for generating SQL statements, such as prepared statements.

The OWASP foundation, which watches over security in application development, recognises injection vulnerabilities, such as SQL injection, as part of its TOP 10 most common vulnerabilities.