What is SQL injection?

SQL injection (SQLi) is an attack where malicious SQL code is inserted into an input field and executed by the database. Example: a login form with SELECT * FROM users WHERE username='$user' AND password='$pass' — an attacker enters admin'-- as the username, making the query: SELECT * FROM users WHERE username='admin'--' AND password='...' — the -- comments out the password check, bypassing authentication. SQLi can allow attackers to read, modify, or delete database data, execute administrative operations, and sometimes execute OS commands. Prevention: (1) Parameterized queries / prepared statements (most important). (2) Stored procedures (if parameterized). (3) Input validation and whitelisting. (4) Least privilege database accounts. (5) WAF. SQLi is consistently #1 or top-3 in OWASP Top 10.