Top 10 2010-A1-Injection

The application uses untrusted data in the construction of the following vulnerable SQL call:
 *  String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; 

The attacker modifies the 'id' parameter in their browser to send: ' or '1'='1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer's.
 *  http://example.com/app/accountView?id=' or 1'='1 

In the worst case, the attacker uses this weakness to invoke special stored procedures in the database, allowing a  complete takeover of the database host. }}