SQL injection: SQL injection is a code injection that might destroy your database. For example if there is an input box in the form name and button Search. When we click search button we send name parameter to the back-end and back-end executes a query like 'SELECT * from user WHERE name=' + name. But when an attacker sends a string like john; drop user, the query drops the entire user table.
Most ORMS already prevent this kind of attack so we don’t need to worry when we use ORMs. But if we use raw SQL queries (for example for query optimization purpose), we should consider about this attack.
Cross Site Scripting (XSS) attack
The example of XSS attack is as following.