What vulnerability arises when a web application fails to validate input and allows attacker-provided SQL elements to reach the backend?

Failing to validate and sanitize input that gets embedded into a database query lets attacker-provided SQL elements reach the backend, which is SQL Injection. When user input is concatenated directly into a SQL statement, an attacker can terminate the intended query and append additional SQL commands. This can reveal sensitive data, modify or delete records, or even alter the application's logic (for example, bypassing authentication). The reliable defense is using parameterized queries or prepared statements, along with strict input validation, proper escaping, least-privilege database accounts, and avoiding dynamic SQL construction. The other vulnerabilities involve different attack vectors: cross-site scripting exploits untrusted input to run scripts in a victim’s browser; buffer overflow arises from improper memory management; directory traversal targets files outside the intended directory.