SQL Injection is an application security hole. It happens when an application uses a string passed by user in SQL statement. Usually, string is passed to web server through HTTP request. For example: String str = request.getParameter("name"); String sqlStr = "select * from account where id=1 and name= "+str; sqlStr could be "select * from account where id=1 and name = kevin"; sqlStr could be "select * from account where id=1 and name = kevin or id = 2";