What is SQL injection and how can you prevent it?

SQL injection is a security vulnerability where attackers insert malicious input into an application's data that becomes part of an SQL statement. If the input is assembled into a query as code instead of merely data, the attacker may alter the query’s logic, access or modify data, or run unintended commands. The strongest defense is using parameterized queries or prepared statements, which send the SQL code and the data separately so input is never treated as part of the command. Pair that with input validation and escaping to reject or sanitize unexpected values, and apply least-privilege database accounts so any breach has limited impact. Other options don’t address this vulnerability: they relate to performance, password storage, or networking, not SQL injection or its direct prevention.