What is a sql injection ??

SQL injection is the result of someone providing extra code in a form input on a site or program. For example, you have a input box on a Web page that takes in a user id. You pass that value to an SQL query like "SELECT * FROM userposts WHERE userId=<inputVal>". If the user puts '1; DELETE * FROM userposts' as their input your SQL query will execute both the intended and the unintended operations. Web security involves a lot of things but one of them is input sanitization.