SQL Injection is the exploitation of weak data-entry filtering to insert or "inject" user-defined SQL statements into an application which executes them. SQL injection can happen when an application allows a user to freely enter values (such as via a form) containing SQL statements which the application submits, unchanged, to a SQL DBMS.
For example, if $id represents the user's input, the application might construct a query using the following template:
qry = "SELECT * FROM users WHERE ID = $id"If the user enters legitimate data, such as 1234, for $id then all is fine. The generated query string is:
SELECT * FROM users WHERE ID = 1234However, if instead of entering a valid value, the user enters 1234; drop table users, the generated query string is:
SELECT * FROM users WHERE ID = 1234; drop table usersA malicious user does this knowing that it will result in execution of both the intended SQL statement and the "injected" SQL.
This particular example will only work with DBMS APIs that allow multiple SQL statements per query. Many do not, but that does not necessarily eliminate SQL injection. The degree to which SQL injection is permitted depends on both the application coding and the SQL DBMS API employed.
SQL injection is merely one type of exploit in a general category of exploits where external inputs to a system can cause unintended behaviour with possible security implications, such as undesirable execution of user-entered code. BufferOverflow exploits are a distantly-related member of this same category.
See also DataTransferObjectInjection, LispInjection, SqlStringsAndSecurity, PreparedStatement, DynamicSql