SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.

With a successful attack, an attacker can gain:

• Unauthorized access to an application: An attacker can successfully bypass an application's authentication mechanism to have illegitimate access to it.
• Information disclosure: A SQL injection attack could lead to a complete data leakage from the database server.
• Loss of data availability: An attacker can delete records from the database server.
• Compromised data integrity: As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity.

• Whitelisting is the best practice to validate input against blacklisting whenever it is practicable.
• Do not create SQL queries with string concatenation. Instead use prepared statements or stored procedures.

• SQL Injection
• SQL Injection Prevention Cheat Sheet
• Improper Neutralization of Special Elements used in an SQL Command
• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H