Sql-Injection is a technique to inject (or execute) SQL commands within an application (database). It is mainly used to gain access to a databases content for which one has no authorization. The method injects SQL commands by providing input to a SQL statement which contains SQL meta-characters.
Example statement: <strong>select * from user where username='input'</strong>
SQL injected input:<strong>user' OR '1'='1</strong>
The final statement:<strong>select * from user where username='user' OR '1'='1'</strong>
Since 1 always equals 1, this statement would return all the users in the database!
Depending on the SQL command, an attacker could insert, modify, extract and delete data in the database.