An injection attack in which an attacker can execute potentially harmful statements that are capable of controlling a web application's RDBMS (Relational Database Management System) is known as SQL injection attack. It is one of the oldest and most critical vulnerabilities that can affect any website using a SQL-based database. An attacker can use it to circumvent the authentication and authorization of a web application to access the sensitive information, even affect the integrity of data by adding, modifying and deleting the records of a database

Protection from SQL injection attack:

One can ensure protection from SQL injection attacks using data sanitization and data validation. It is essential to prevent dangerous characters (" ' ") from being passed into an SQL query in data which can be achieved by running any data through the MySQL's mysql_real_escape_string() function. This is termed as data sanitization.

Data validation involves ensuring that the submitted data doesn't deviate from the expected form. For example, in the basic level, it is necessary to ensure that email addresses contain "@", the input of digits when integers are expected, and the length should not exceed the minimum length.

There are two modes of data validation:

1. Blacklisting the unsafe and unnecessary characters.

2. Whitelisting the allowable characters.

It is necessary to validate the data on the server side based the client side as the attackers can alter the data on the client side.

SQL injection defense techniques:

There are primary and secondary defense techniques used to fight SQL injection attacks. The primary defenses are enumerated below:

1. Parameterized queries compel the developers to define all the SQL code after which the parameters can be passed into the query that lets the database differentiate between the code and the data.

2. Another way is the stored procedure that is defined and stored in the database and then invoked from the application without letting the user to input.

3. The third way is to escape all the input supplied by the user through proper escaping schemes that are present in every DBMS. This won't confuse the DBMS regarding the SQL code written by the developer and the user input, successfully avoiding SQLi attacks.

The additional SQL injection defense techniques are enumerated as below:

1. Reduction of the privileges allotted to every database account which would let users accomplish nothing more than their job.

2. Whitelisting to screen out the suspicious data.

Other ways that ensure SQL injection attack protection are:

1. Avoiding dynamic SQL wherever possible and use of parameterized queries, prepared statements or stored procedures instead.

2. Regular examination of the vulnerabilities and applying patches and updates to ensure protection.

3. An application or software-based web application firewall should be used to provide security against malicious data by filtering them out.

4. Changing the password of application accounts into the database at regular intervals.

5. It is always wiser to buy a better software in which coders review and fix the security flaws before releasing it.

6. Encryption or hashing of the confidential data including passwords, connection strings etc.

7. It is never advisable to connect the database through an account with admin-level privileges without an unavoidable reason because it is much safer to use an account with limited access as hacker can't access everything easily.

8. It is important to remove any unnecessary database functionality, which hacker can exploit.

9. Displaying only the information that is essential as the attackers can learn even from the error message about the database architecture. This can be ensured by the use of "RemoteOnly" customErrors mode or its equivalent for showing the verbose error messages on the local machine and letting the attacker know only that an unhandled error has occurred.