SQL Injection is a serious security concern for any application that accepts user input and executes SQL created by concatenating strings including user-provided values.
How does this present a risk? Consider the following:
s = "SELECT * " +
"FROM users " +
"WHERE username = '" + username + "';"
db.execute(s)Now consider if the user entered the following value into the login form as their username:
'; DELETE FROM users; --