Define SQL injection and how to defend against it.

SQL injection is when an attacker inserts malicious SQL into input fields that get incorporated into a database query, causing the query to run unintended commands such as exposing or altering data. The best defense combines parameterized queries (prepared statements) so user input is treated strictly as data, not executable code; input validation to ensure data matches expected formats and lengths; and least-privilege database accounts so even a successful injection can’t perform broad or destructive actions. Parameterized queries separate the code from the data, preventing input from changing the query’s meaning. Input validation reduces the kinds of input the app will accept, cutting off many injection paths. Least-privilege access limits what the database user can do, such as restricting rights that would allow dropping tables or modifying critical data. Other scenarios like copying files via FTP, DNS hijacking, or CSRF tokens describe different attack types and do not address SQL injection itself.