What is SQL Injection?
SQL Injection is a form of security attack on a database- driven web site in which the hacker or attacker executes the unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.
SQL Injection attacks are used to steal information from a database from which the data would normally not be available end/or to gain access to an organization's host computers through the computer that is hosting the database.
SQL Injection attacks are typically very easy to avoid by ensuring that a system has very strong input validation on user's input form.
As SQL Injection name suggest that we inject SQL query which can be relatively dangerous for any database.
Lets have an example of SQL Injection:
SELECT email, password, login_id, full_name
FROM employee
WHERE email ='xx'
Now if someone doesn't put 'xx' as the input and puts "xx; DROP TABLE employee;"
SO the actual query will become like:
SELECT email, password, login_id, full_name
FROM employee
WHERE email ='xx' ; DROP TABLE employee;
So now there are two query to be executed on database, one will select and other will drop the database.
Which will be dangerous.
So try to validate the user's inputs always both at front-end and back-end always to avoid SQL Injection.