SQL injection, along with the related manipulation of query strings, is widely cited as one of the most popular ways of hacking into a network or system that utilizes the conventional relational database. (Read When SQL Isn't Enough: Controls for Massive New Data Centers.)
There are a number of reasons for this. First of all, the use of SQL injection to get unauthorized access to database contents doesn't require any special tools. Secondly, it can be done right through the Internet.
By manipulating a query string that goes from a web form to a host system, hackers can do all sorts of things, including getting the database to dump its data. Wherever these incoming inputs are not properly authenticated and validated, it’s extremely easy to make your way into a database remotely.
You don't have to crack a password or figure out a way around encryption or anything else — the hacker just enters the altered query statement and runs amok in the system.
In addition, as some experts point out, hackers can fingerprint databases through careful research. It's relatively easy in many cases to figure out what type of database a network is using, and again, this can all be done from any connected computer.
Essentially, query string manipulation is as simple as adding alphanumeric characters to a string. It's one of the simplest, most straightforward and most effective types of database hacking around. Contrast this with something like a denial of service attack or a ransomware attack, both of which require sophisticated planning, and you'll see why SQL injection is so popular. (Read How Should Businesses Respond to a Ransomware Attack?)
There are ways of locking out hackers — of disabling SQL injection, but vulnerabilities are so common that they represent a big open barn door to hackers. Spoofing and social engineering are also popular, but SQL injection doesn’t even require the hacker to trick any human user! It just involves looking for the right pressure point, and using it.