SQL injection also known as code injection is a technique in which the attacker uses a security vulnerability present in SQL (Stuctured Query Language) to gain access to a database linked to website.

After infiltrating the database the attacker can add a new entry, modify existing entries and can also delete a record, table or even the whole database at the backend of the website or server rendering it useless for the visitors and users.

SQL injection is performed by incorrectly filtering the user input for string type literal characters.

Another name for SQL injection is SQL insertion attack. SQL injection is also performed by embedding malicious code inside a string.

This string is then passed to an SQL server object for parsing and execution. There are two types of SQL injection attacks, the direct attack and the indirect attack.

In direct attacks the code is directly entered into variables used for input, these variables are concatenated by SQL commands and then executed with the inserted code. In the indirect attacks the code is injected in a string that is to be stored in the database in a record or table.

Below SQL injection code is showed:

var Mname;
Mname = Request.form ("Mname");
var sql = "select * from OrdersTable where Mname = '" + Mname + "'";

Along with these manual methods of code injection automated tools are also available which make the code injection technique robust and even more devastating.  SQL injection attacks result in lack of security during defining input parameters for a database.