SQL injection is a form of attack in which unauthorized SQL commands are executed by exploiting insecure code on a system connected to the Internet. Which option best describes this?

• A. A form of attack that executes unauthorized SQL commands via insecure code.
• B. A defense mechanism against SQL attacks.
• C. A method of optimizing database queries.
• D. A protocol for database replication.

Answer: (A)

SQL injection is an attack where unauthorized SQL commands get executed because the application mishandles user input. When code builds SQL statements by directly inserting input rather than using safe, parameterized queries, an attacker can craft input that changes the meaning of the command being run. Being connected to the Internet means this attack can be attempted remotely against vulnerable systems. The statement in question captures this idea precisely: it defines SQL injection as an attack that runs unauthorized SQL commands due to insecure code. The other options describe a defense against SQL attacks, a method for optimizing queries, or a protocol for database replication, which are not about the attack itself.