SQL Injection
SQL injection is a security vulnerability where untrusted input is inserted into a SQL query, letting an attacker read or modify data they shouldn't.
It happens when user input is concatenated directly into SQL. An attacker can craft input that changes the query's meaning — bypassing auth, dumping tables, or deleting data.
The fix is parameterized queries (bind variables), which keep data separate from SQL code, plus least-privilege database roles and input validation at the boundary.
When you must run dynamic SQL, never interpolate raw user input; pass values as parameters and rely on database permissions and row-level security as defense in depth.
Related terms
See it in practice
Kolaybase gives you PostgreSQL, auth, storage, and a REST API in minutes.