what is sql injection and how to use ?

SQL Injection (SQLi) alludes to an infusion assault wherein an assailant can execute vindictive SQL explanations (likewise normally alluded to as a noxious payload) that control a web application's database server (additionally ordinarily alluded to as a Relational Database Management System – RDBMS).

• SQL injection is a code injection technique that might destroy your database.
• 
  
• SQL injection is one of the most common web hacking techniques.
• 
  
• SQL injection is the placement of malicious code in SQL statements, via web page input.

Since a SQL Injection powerlessness could influence any site or web application that makes utilization of a SQL-based database, the defenselessness is one of the most seasoned, most common and most unsafe web application vulnerabilities. 

By utilizing a SQL Injection weakness, given the correct conditions, an aggressor can utilize it to sidestep a web application's confirmation and approval components and recover the substance of a whole database. SQL Injection can likewise be utilized to include, change and erase records in a database, influencing information honesty. 

To such a degree, SQL Injection can give an aggressor unapproved access to touchy information including, client information, by and by identifiable data (PII), exchange privileged insights, protected innovation, and other delicate data.

Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

SQL Injection Based on 1=1 is Always True

# Define POST variables uname = request.POST['username']passwd = request.POST['password'] # SQL query vulnerable to SQLi sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’” # Execute the SQL statement database.execute(sql)

SELECT * FROM Users WHERE UserId = 105 OR 1=1;