What is SQL injection and how is it prevented?

SQL injection occurs when an attacker inserts malicious SQL code into input fields that are passed directly to a database query without proper validation or sanitization. The attacker can read, modify, or delete database contents, bypass authentication, or execute administrative operations. For example, entering a specially crafted username can modify the login query to return all user records. Prevention requires parameterized queries, also called prepared statements, which separate SQL code from user input.