Security Encyclopedia

SQL Injection

SQL Injection is a kind of cyberattack in which perpetrators inject code into a data-driven application or resource. The attack exploits vulnerabilities of SQL based apps and resources with the aim to misuse or disrupt their data.

A successful SQL injection attack can have many negative outcomes. In the example of a financial services app falling victim, hackers can invalidate transactions or change values in account balances. They can also impersonate users and admins, indeed becoming admins of the app or resource’s server. Further, they can tamper with or disclose all data on the database.

Dating back to 1998, and plaguing retail industry websites with as many as four attacks per month. SQL injection is one of the most common threats.


"One of the more serious cyberattacks using SQL injection involved a hacker installing packet-sniffing software on ATM machines. It resulted in the pilfering of millions of consumers' of cardholder data (CHD)."