SQL Injection is a server-side vulnerability that occurs when user input is inserted into a query, without any kind of validation or sanitization. The query is then passed to a database.
The fact that the user controls a certain part of the query with no limitations, other than the location of the injection point, means they can prematurely end the string where the user input goes, and modify the query that is run on the database (see next slide for example).
A basic example would be the following. Imagine there is a login form where the query selects the password from the database that matches the username:
SELECT * FROM users WHERE password = '[USER_INPUT]' LIMIT 1;
If we control [USER_INPUT], and we input
' OR 1=1;#, then the query now becomes:
SELECT * FROM users WHERE password = '' OR 1=1;# LIMIT 1;
# means everything after it is commented out, so the "LIMIT 1;" is ignored by the database. Finally, making the query:
SELECT * FROM users WHERE password = '' OR 1=1;
Now, since this is a login form, and we have added an OR clause with a condition that will always return true (1=1), the login query will allow us to bypass the need for credentials.
This vulnerability can also be used to leak the database's contents, add new data to the database, or in some situations, read files (
SELECT * LOAD_FILE('/home/username/myfile.txt')), write to files (
SELECT 'output' INTO OUTFILE '/home/username/myfile.txt'), and execute commands (In the case of MSSQL, using xp_cmdshell).