SQL injection is?

• A. A technique to harvest SQL databases remotely
• B. A method for performing SQL queries safely
• C. A code injection technique that exploits a vulnerability in an application's software by inserting malicious SQL statements
• D. A way to encrypt SQL commands

Answer: (C)

SQL injection is a code injection technique that exploits a vulnerability in an application's software by inserting malicious SQL statements. It happens when user-supplied input isn’t properly validated or parameterized and is directly embedded into an SQL query. By tampering with the input, an attacker can alter the query’s logic, potentially bypass authentication, read or modify data, or even execute administrative operations on the database. A common example is inputting something like ' OR '1'='1 to turn a login check into a condition that always passes, which demonstrates how the intended query behavior is changed. More advanced injections can use techniques like UNION SELECT to dump data or blind injections to infer information step by step.

This best describes SQL injection as a vulnerability-driven attack that inserts malicious SQL statements to affect the database. It’s not about harvesting databases remotely in general, not about performing queries safely, and not about encrypting SQL commands.