SQL injection is an attack where malicious SQL code is inserted into a query an application sends to its database. When user input is not properly validated, an attacker can manipulate the query to extract data, bypass authentication, modify records, or execute commands on the underlying server.
The attack has appeared on the OWASP Top 10 list of critical web application security risks for over a decade. Parameterized queries and prepared statements are the primary prevention techniques.
CISSP Relevance
SQL injection is addressed in Domain 8 (Software Development Security). CISSP candidates must understand input validation, parameterized queries as the primary prevention technique, and how application vulnerabilities create risk that extends to underlying data and systems.
External reference: OWASP SQL Injection Attack Reference
Related terms: Secure Software Development Lifecycle, Vulnerability