SQL injection, also known as insertion, is a malicious technique that exploits vulnerabilities in a target website’s SQL-based application software by injecting malicious SQL statements or by exploiting incorrect input. In 2013, the Open Web Application Security Project [OWASP] listed injection as the most prevalent threat to vulnerable web applications.
SQL injection is one of the most common code injection techniques used by attackers to attack websites. Once a website is exploited, attackers attempt to gain root access to the server, allowing them to gather information as well as access databases and other devices within the network.
In March 2011, SQL injection was used to compromise numerous websites and inject a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.Difference with Cross-site Scripting
While both vulnerabilities can be caused by malicious code or data sent by website/app users and administrators, they differ in terms of impact. CSS/XSS typically cause disruptions on the client or visitor side and can be used to hijack sessions, deface websites, download malicious content, and redirect URLs. On the other hand, injections severely affect the server side and can lead to data loss and other consequences.
How to Prevent SQL Injection Attacks
For enterprises:
https://www.owasp.org/index.php/Top_10_2013-A1-Injection
http://blog.trendmicro.com/trendlabs-security-intelligence/lizamoon-etc-sql-injection-attack-still-on-going/