Definition
Plain language
A classic web security flaw where an attacker sneaks database commands into ordinary user input.
As stated in the literature
A vulnerability class where user-controlled input is concatenated into SQL queries without sanitization, allowing attackers to execute arbitrary database commands.
Why it matters: It's been one of the most common and dangerous web vulnerabilities for decades, and AI agents writing or reviewing code need to spot the pattern reliably.
For example, a login form that pastes the username directly into a query can be tricked by entering `' OR '1'='1` to log in as anyone.
Heard on the show
“… produced confident, well-structured answers about whether a particular code path was safe from SQL injection — and they were wrong, because the facts they were reasoning from had been quietly edited two …”Episode 039 — When Smarter Agents Get Fooled by Three Extra Nodes in a Database