IQL injection is a method which is used for inserting malicious SQL queries from client to web applications. When attacker is trying to insert a query through input data form, if user input data form is not filtered, the malicious query can change attitude of the query according to the injected SQL commands owasp. A simple example:
SELECT * FROM users_tbl WHERE user = '$username' AND pass='$password'; Malicious input: user: admin pass: 'or' 1=’1 or ‘or’ true Joining malicious input with the SQL statement: SELECT * FROM users_tbl WHERE user ='admin' AND pass='' or 1='1'
This query consists of SQL statement and the data that will be entered by user which is not part of the query, however, malicious user input might contain data with another SQL statement that can change the expected behavior of the query to include secret data in the result or inject malicious posts for performing XSS attacks.