SQL injection is a technique used to take advantage of vulnerabilities arising from non-validated input on web applications to pass SQL commands through for execution on a backend database.
SQL injection is an attack technique that is used to carry out attacks on databases. Web apps that do not validate input may evaluate executable statements included in the input, including SQL commands. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, or use user input to construct SQL commands, in order to embed SQL commands inside these parameters. Attackers can use this technique to execute arbitrary SQL queries and/or commands on the backend database server through the Web application.