SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System ‑ RDBMS).
Define POST variables
<script>
uname = request.POST['username']
passwd = request.POST['password']
</script>SQL query vulnerable to SQLi
Execute the SQL statement database.execute(sql)
The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.