SQL Injection 
SQL Injection

Injection flaws occur when untrusted user data are sent to the web application as part of a command or query. The attacker's hostile data can trick the web application into executing unintended commands or accessing unauthorized data. Injection occurs when a hacker feeds malicious, input into the web application that is then acted on (processed) in an unsafe manner. This is one of the oldest attacks against web applications, but it’s still the king of the vulnerabilities because it is still widespread and very damaging. Injection vulnerabilities can pop up in all sorts of places within the web application that allows the user to provide malicious input. Some of the most common injection attacks target the following functionality:
■ Structured query language (SQL) queries 
■ Lightweight directory access protocol (LDAP) queries 
■ XML path language (XPath) queries 
■ Operating system (OS) commands 
Anytime that the user’s input is accepted by the web application and processed without the appropriate sanitization, injection may occur. This means that the hacker can influence how the web application’s queries and commands are constructed and what data should be included in the results. This is a very powerful exploit!