SQL Injection
A vulnerability where attacker input is interpreted as part of a database query instead of as data.
Reviewed by the RadarTrek editorial team · June 2026
SQL injection happens when user input gets concatenated directly into a query string, letting an attacker reshape the query itself — extracting data they shouldn't see, bypassing login checks, or deleting tables. Parameterised queries (or an ORM that uses them under the hood) close this off entirely by keeping user input as data, never as part of the SQL syntax.
Why it matters
- —It remains one of the OWASP Top 10's most damaging categories because a single successful injection can expose an entire database.
- —String-concatenated SQL is the root cause every time — parameterised queries are not a "best practice," they're the actual fix.
- —ORMs reduce risk but don't eliminate it — raw query escapes or string-built `WHERE` clauses can still reintroduce the hole.
Where to learn this
SQL Injection — How It Works and How to Stop It
Web Security for Builders course
This is the exact lesson that covers this term in depth — with examples, diagrams, and a hands-on exercise.