What is SQL ?
SQL stands for Structured Query Language, it is a set of instructions used to interact with a database. It is the standard language for relational database management systems( According to ANSI ). SQL commands are used to perform operations on a database such as update data on it or retrieve data from it. Some common relational database management systems in the market that use SQL are: Oracle, Sybase, Microsoft SQL Server, Access, Ingres, etc. Some of the SQL commands that are common to all relational database management systems are Select, Insert, Update, Delete, Create, and Drop, these commands can be used to do almost everything that one needs to do with a database.

What is SQL Injection ?
Almost every website you visit, has its very own database where it stores important information such as your user name, password and other useful things that neither you nor the website wants to reveal to anyone else. Not just websites, every organisation manages its own database to keep its data. SQL Injection is one of the many web attack technique used by hackers to steal data from organizations. It is one of the most common application layer attack techniques used today. It takes advantage of improper coding of your website/web applications that allows a hacker to inject SQL commands in form of user input in a web form. In simple words, it arises because the fields available for user input allow SQL statements to pass through and query the database directly, through which a hacker can retrieve, update or even delete data.

A Simple Example
Here is what a HTML Code for a form(log in panel) looks like:

<form>
User Name: <input type="text" name="username"><br>
Password : <input type="password" name="pwd">
</form>

So whenever you enter a “User Name” and “Password”  it assigns its value to “username”  and “pwd” respectively. Now the system checks its database to check whether this username exists or not and if it exists then the password entered by you matches with the one it has in its database, a sample SQL query to do the same is:

SELECT * FROM userdatabase WHERE username = '$username' AND password = '$pwd’

Now, what a hacker do is, he/she injects a SQL statement in the login panel like for both username and password he/she enters ” anything' or 'x'='x .” In this way our SQL query now reads like this:

SELECT id FROM userdatabase WHERE username = 'anything' OR 'x'='x' AND password = 'anything' OR 'x'='x'

which is a valid query because 'x'='x' is true irrespective of anything.

This will allow the hacker to bypass the login form without actually knowing a valid username/password combination!