SQL injection is a technique that used the inline quiry paramers and destroy your database.EX:Assume you want to get the User details based on the userId (from input textbox), then inline query will looks like this.
Query : SELECT * FROM Users WHERE UserId = “ + txtUserId;
If there is nothing to prevent a user from entering “wrong” input, the user can enter some “smart” input like this:
If user pases txtUserId as “100 OR 1=1”, then query looks likeSELECT * FROM Users WHERE UserId = 100 OR 1=1;
The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE
SOLUTION : Use the stored Procedure in SQL