SQL injection is a technique that exploits a security
vulnerability occurring in the database layer of an
application. The vulnerability is present when user input is
either incorrectly filtered for string literal escape characters
embedded in SQL statements or user input is not strongly typed and
thereby unexpectedly executed.
An attacker can use this vulnerability to read any information
from the database that the web application has access to, to
sometimes write new data to the database, and in some cases the
attacker can gain full control over the system.
SQL injection occurs when user input is not properly
encoded/filtered/properly typed prior to being used in a SQL
statement. In order to fix this issue, the application developers
must encode/filter/type data prior to being used. For example, if
you have a value that is supposed to be an integer, typecast it as
an integer. If you have a value that is supposed to be a string
encode/filter any SQL command characters.
There are some built in functions for different languages that may
handle some of the encoding for you. Please note that filtering
will typically not prevent attacks that use poor typecasting as an
attack vector (i.e. encoding a value that is not put inside of
quotes will potentially still get through unless typecast).
In PHP you can use the mysql_real_escape_string() function. If
you are using .Net please visit
for generic code fixes.