An SQL injection attack is where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entered doesn't get used for the purpose you had intended - it gets used to corrupt or destroy your database.

For example, if your form returns to $_REQUEST[message] and you write
INSERT into msgtab (message) values ("$_REQUEST[message]")
in your code, then without the appropriate precautions I could enter
Got you"); delete his database;
or words to that effect ... and that would be a nasty injection attack.

Note that most copies of PHP are configured with magic quotes on to insure against this kind of hole being left by newcomers to coding, and that my example - quite intentionally - doesn't exactly attack; rather, it shows the principle

As well as SQL injection attacks, Javascript can be injected too ... and even tags like <h1> can sometimes be injected to make the whole of the rest of a response page be shouted back at subsequent visitors to (say) a poorly written forum or chatroom.
(written 2006-11-27)

 S161 - Data Access and Security in MySQL
  [192] Current MySQL and PHP paths and upgrades - (2005-01-28)
  [193] The wrong MySQL - (2005-01-29)
  [401] What is an SQL injection attack? - (2005-08-02)
  [535] MySQL permissions and privileges - (2005-12-20)
  [647] Checking for MySQL errors - (2006-03-15)
  [1131] MySQL - Password security (authentication protocol) - (2007-04-02)
  [2204] Images in a database? How big is a database? (MySQL) - (2009-05-28)
  [2263] Mysqldump fails as a cron job - a work around - (2009-06-30)
  [2647] Removing duplicates from a MySQL table - (2010-02-22)
  [3270] SQL - Data v Metadata, and the various stages of data selection - (2011-04-29)
  [4390] Checking MySQL database backups have worked (not failed) - (2015-01-10)
  [4406] Fixing damaged MySQL tables - Error 1712 and Error 2013 - (2015-01-25)
  [4481] Extracting data from backups to restore selected rows from MySQL tables - (2015-05-01)
  [4491] Web Server Admin - some of those things that happen, and solutions - (2015-05-10)
  [4493] Forgotten / lost MySQL root password - (2015-05-16)

H117 - Security in PHP
  [345] Spotting a denial of service attack - (2005-06-12)
  [426] Robust checking of data entered by users - (2005-08-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1747] Who is watching you? - (2008-08-10)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)

H113 - Using MySQL Databases in PHP Pages
  [104] mysql_connect or mysql_pconnect in PHP? - (2004-10-30)
  [515] MySQL - an FAQ - (2005-12-03)
  [572] Giving the researcher power over database analysis - (2006-01-22)
  [581] Saving a MySQL query results to your local disc for Excel - (2006-01-29)
  [666] Database design - get it right from first principles - (2006-04-02)
  [723] Viewing images held in a MySQL database via PHP - (2006-05-17)
  [915] Paging through hundreds of entries - (2006-11-05)
  [937] Display an image from a MySQL database in a web page via PHP - (2006-11-22)
  [1010] Dates, times, clickable diarys in PHP - (2006-12-28)
  [1561] Uploading to a MySQL database through PHP - examples and common questions - (2008-03-02)
  [1983] Keeping PHP code in database and running it - (2009-01-09)
  [2071] Setting up a MySQL database from PHP - (2009-03-08)
  [2259] Grouping rows for a summary report - MySQL and PHP - (2009-06-27)
  [2320] Helping new arrivals find out about source code examples - (2009-08-03)
  [2432] Using print_r in PHP to explore mysql database requests - (2009-10-01)
  [2447] MySQL stored procedures / their use on the web from PHP - (2009-10-10)
  [2561] The future of MySQL - (2010-01-03)
  [3035] How to display information from a database within a web page - (2010-11-07)
  [3455] MySQL, MySQLi, PDO or something else - how best to talk to databases from PHP - (2011-09-24)
  [4378] What FGW passengers want to talk about / and PHP programming to find out - (2015-01-01)
  [4483] Moving from mysql to mysqli - simple worked example - (2015-05-03)

Back to Look around this mouth.

Previous and next or Horse's mouth home

Forward to Running an on line campaign

What happened at Geekmas
Python and the Magic Roundabout
Sludge off the mountain, and Python and PHP
Running an on line campaign
What is an SQL injection attack?
Look around this mouth.
Code quality counts
Just ******* Google it
Matching within multiline strings, and ignoring case in regular expressions
Index of Pictures