How exactly, does someone go about explaining what SQL injection is to a first time developer? I think I did 'Okay' explaining it today by showing examples of what could be done, and how, however, I struggled with giving a good definition.

Tonight I did a google search[^], and came up with this definition from the E-government in New Zealand[^] website:

“SQL injection is the name for a general class of attacks that can allow nefarious users to retrieve data, alter server settings, or even take over your server if you're not careful. SQL injection is not a SQL Server problem, but a problem with improperly written applications.“

That pretty much sums it up. Here is an article[^] that goes in to more depth on how these attacks are carried out, and what developers should do to prevent them. I think I'll revisit this discussion tomorrow.