If the SQL statement is constructed like this:
SQL = "SELECT * FROM Users WHERE username = '" + user + "' AND password ='" + pw + "'"; db.execute(SQL);
Then a hacker could retrieve your data by giving a password like
pw' or '1'='1; the resulting SQL statement will be:
SELECT * FROM Users WHERE username = 'somebody' AND password ='pw' or '1'='1'
This one will pass the password check for all rows in the
Users table because
'1'='1' is always true.
To prevent this, use SQL parameters:
SQL = "SELECT * FROM Users WHERE username = ? AND password = ?"; db.execute(SQL, [user, pw]);