It's called SQL injection. It's one of the forms of a website attack in which the attacker is able to execute arbitrary SQL against your database. Here's a simple example. If you have a form that returns a user name and you are trying to look up user's settings in the database, your SQL might look like this (in pseudo language): select col1, col2 from settings where user name = ' + username + '; If an attackers submits username as John'; insert into users (...) --, then your SQL will look like this select col1, col2 from settings where user name = 'John';insert into users (...) -- '; As you can see, the attacker was able to insert their own record in the users table. In worst case scenarios, SQL injection may be used to take over the entire server. Prevention is fairly simple - validate your input; use parameter binding when possible; escape input if parameter binding is not available. J.D.
SQL injections are illegal characters which makes your textual based query corrupt and then the person who puts illegal characters can do anything with your query. The best thing to avoid such injections is to use stored procedure. DO not use text query on your web page. Use always stored procedure.