A SQL Injection attack takes advantage of a bug or vulnerability in an application that uses a database such as a web application or API. Structured Query Language (SQL) is the language used by applications internally to query a database for information. If the application takes input from end users it needs to ensure the given information is not SQL. If it fails to do so malicious actors can manipulate the application into sending unauthorized commands to the database.
For example if a web application has a search feature that allows searching by first and last names, SQL could be given instead of a real name and a poorly secured application would pass this SQL to the database directly - allowing malicious actors to query or delete data in the database directly!
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.