SQL injection is an attack technique in which an attacker injects malicious SQL commands through input fields of a web application. If successful, the attacker can read, modify, or delete data and potentially gain full control of the database server. The root cause is missing or insufficient input validation. You prevent SQL injection through parameterized queries (prepared statements) and consistent input validation. In an ISMS, SQL injection is one of the most critical vulnerability classes and is tested via SAST, DAST, and penetration testing.