The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.