SQL Injection occurs when untrusted input is incorporated into a SQL query and executed without proper validation or escaping. This enables an adversary to alter the structure of the query, execute arbitrary SQL commands, modify or delete data, and extract sensitive information. In some database engines, SQL injection can be leveraged to execute operating system commands, escalating impact to full system compromise.

Remediation

• Never construct SQL queries through string concatenation or direct interpolation of user input.
• Use parameterised queries or prepared statements (`?` or `$1` placeholders) to enforce strong separation between code and data.
• Where possible, use Object Relational Mappers (ORMs) that generate parameterised queries by default.
• Apply least-privilege principles to database accounts; restrict write and administrative rights to minimise impact.
• Employ allow-lists for input validation (e.g., numeric IDs only) when user input is used in query filters.
• Monitor and log failed queries for early detection of attempted injection attacks.