Promptles
Security

SQL Injection

beginner

Definition

An old but devastating attack where someone types a database command into a normal-looking form field. If the website sloppily glues that text straight into its database queries, the attacker's command runs: letting them read, change, or even delete every record. It's prevented by treating user input strictly as data, never as instructions.

In the wild

An attacker types a sneaky string into a website's login box that, instead of being treated as a username, tricks the database into returning every user's account. A site protected against SQL injection would treat the input as just text: even if it looks like a database command, it gets ignored as gibberish.

More from Security