SQL injection is a kind of attack where someone puts harmful commands into a website's input box (like a login form) so the site runs those commands on its database.

How it works

Websites often take user input and build a query to ask the database for data. If the input isn't cleaned, an attacker can sneak in extra SQL code. The database will then follow those instructions - maybe showing hidden data, changing records, or even deleting tables.

Analogy

It's like ordering food at a restaurant. You say, "One pizza" The waiter writes it down. But if you say, "One pizza; and give me the money from the cash register," and the waiter just passes it to the kitchen without thinking, you'd get more than just pizza. That's how SQL injection abuses careless handling of input.