A SQL injection attack consists of insertion or "injection" of a
SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shut down the DBMS), recover the content of a given file present on the DBMS file system and in some cases, issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands.
How to solve it
Make sure that you never use string concatenation with user-controlled input straight in the SQL query and that you are using parameterized queries all the way. Any ORM libraries (Hibernate...) have already taken this into account. If you are working with raw JDBC, you need to ensure that you set user-controlled input using PreparedStatement instead of Statement.Example: