SQL injection is an application flaw that lets untrusted input interfere with database queries in unintended and dangerous ways.
SQL injection is a vulnerability that allows untrusted input to affect how a database query is interpreted. In plain language, it happens when an application treats user-controlled input as part of a database command instead of clearly separating data from query logic.
SQL injection matters because databases often hold sensitive records, authentication data, and business-critical information. When query handling is unsafe, a single application flaw can expose or alter important data far beyond the immediate feature where the input was received.
It also matters because this vulnerability is a classic example of insecure application design, not just a database problem. It shows why secure input handling and query construction are fundamental software-engineering concerns.
SQL injection appears in web applications, APIs, admin tools, and legacy internal systems that build database queries unsafely. Teams look for it in code review, Static Application Security Testing, Dynamic Application Security Testing, and application pentesting.
Security teams also think about SQL injection when they evaluate Web Application Firewalls, because WAF rules may help reduce some exposure while the application itself is corrected.
An application uses user input directly when constructing a database query for a search feature. If the code does not safely separate the query structure from the input value, a maliciously crafted request could change how the database interprets the request instead of being treated as ordinary data.
SQL injection is not just “bad characters in a form.” The real issue is unsafe query construction and trust handling in the application.
It is also different from Cross-Site Scripting. SQL injection targets the application’s interaction with the database, while XSS targets how untrusted content is handled in the browser.