Query Injection (SQL Injection Basics)
Home /
Glossary Index /
Alphabet Q
A web form asks for your username. You type: admin’ OR ‘1’=’1. The application sends this to the database. The database returns every user record. You are now logged in without a password. SQL injection is one of the oldest and most dangerous web application vulnerabilities. It allows attackers to read, modify, or delete your database. The fix is simple and proven. Use parameterized queries.
What Is SQL Injection?
SQL Injection (SQLi) is a code injection vulnerability that occurs when untrusted data is sent to a SQL interpreter as part of a command or query. Attackers can use this to read, modify, or delete database data, bypass authentication, or in some cases execute commands on the underlying operating system. When user input is concatenated directly into SQL queries without proper sanitization or parameterization, attackers can inject their own SQL commands. The database cannot distinguish between legitimate queries and malicious ones.
How SQL Injection Works
Vulnerable code concatenates user input directly into a SQL query. A PHP example: $query = “SELECT * FROM users WHERE username='” . $_POST[‘user’] . “‘”. Normal input of admin produces the query: SELECT * FROM users WHERE username=’admin’. Malicious input of admin’ OR ‘1’=’1 produces the query: SELECT * FROM users WHERE username=’admin’ OR ‘1’=’1′. The OR condition always evaluates to true. The query returns all users instead of just the admin account. The attacker bypasses authentication completely.
Types of SQL Injection
In-band SQLi
Results are visible directly in the application response. Union-based SQLi uses UNION queries to combine results with legitimate query results. Error-based SQLi relies on database error messages revealing information.
Blind SQLi
No visible output appears in the response. Attackers infer information by observing differences in application behavior. Boolean-based blind SQLi tests true or false conditions. Time-based blind SQLi uses database sleep commands to measure response times.
Out-of-band SQLi
Data extracts via alternative channels like DNS or HTTP requests. This technique works when direct response channels are blocked but outbound requests are allowed.
The Damage SQL Injection Causes
SQL injection can read sensitive data including passwords, credit cards, and medical records. It can modify or delete database content, destroying critical information. It can bypass authentication, granting access to attacker without valid credentials. In some database configurations, it can execute operating system commands, taking full control of the server. SQL injection has been used in countless data breaches affecting millions of customers.
5 Prevention Techniques
Use Parameterized Queries (Prepared Statements)
This is the most reliable way to prevent SQL injection. Parameterized queries separate SQL logic from data. The database knows the query structure before data is bound. User input cannot change that structure. Parameterized queries make injection impossible.
Use ORM Frameworks Properly
Object-relational mapping (ORM) libraries generate SQL queries safely when used correctly. However, ORMs still allow raw queries. Avoid raw queries whenever possible.
Validate and Sanitize All User Input
Validate input against expected types and formats. Reject input that does not match. Sanitization can help but is not a complete solution on its own.
Apply Least Privilege to Database Accounts
Application database accounts should only have necessary permissions. Read-only where possible. No schema modification privileges. Limited write access. If an application gets exploited, the database account determines the damage.
Use Web Application Firewalls
WAFs can detect and block many SQL injection attempts. Defense-in-depth adds WAF protection but does not replace secure coding.
SQL injection remains in OWASP Top 10 for a reason. Developers still write vulnerable code. You must test your applications for SQL injection vulnerabilities. Fix any found. Parameterized queries are not optional. They are required for security.