SQL injection (SQLi)

A flaw where untrusted input is mixed into a database query, letting an attacker read, change, or destroy your data.

SQL injection happens when user input is concatenated directly into a SQL query. A login field that builds SELECT * FROM users WHERE email = '<input>' can be fed ' OR '1'='1 and return every row. In the worst cases an attacker can dump your entire database or delete tables.

For a founder this is the classic catastrophic bug: it can expose every customer record at once, and it's been a top web risk for two decades. It stays one of the OWASP Top 10 because new code keeps reintroducing it.

The defense is well understood: use parameterized queries (prepared statements) or a query builder that escapes input for you, and never build SQL by string concatenation. Most modern ORMs handle this by default, but raw queries you write by hand are where the risk creeps back in.

Related terms

IDOR (Insecure Direct Object Reference)An access-control flaw where changing an ID in a request lets a user read or edit records that belong to someone else.SSRF (Server-Side Request Forgery)A flaw where an attacker tricks your server into making requests to internal systems or cloud metadata it should never reach.XSS (Cross-Site Scripting)A flaw where attacker-controlled script runs in another user's browser, letting it steal sessions or act as that user.CSRF (Cross-Site Request Forgery)An attack that tricks a logged-in user's browser into sending an unwanted state-changing request to your app.