SQL Injection (SQLi) is a code injection attack where an attacker manipulates an application’s SQL queries to access or modify database information without authorization. It is one of the most dangerous web vulnerabilities, allowing attackers to bypass authentication, steal data, delete records, or even gain full control of a database.
How SQL Injection Works
SQL Injection exploits vulnerabilities in input validation when a web application directly incorporates user inputs into SQL queries. If user inputs are not sanitized properly, attackers can manipulate queries to execute unintended commands.
Example of a Vulnerable SQL Query:
SELECT * FROM users WHERE username = 'admin' AND password = 'password123';
If the input fields are not properly validated, an attacker can enter:
- Username:
admin' -- - Password:
anything
The query becomes:
SELECT * FROM users WHERE username = 'admin' --' AND password = 'anything';
The -- comment ignores the password check, allowing the attacker to log in as admin without knowing the password.
Types of SQL Injection
1. Classic SQL Injection
Occurs when an attacker directly modifies an input field to manipulate SQL queries.
Example Attack Input:
' OR '1'='1
Query becomes:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
Since '1'='1' is always true, it retrieves all user records, potentially bypassing authentication.
2. Blind SQL Injection
Occurs when the application does not return database error messages but still executes the query. Attackers extract information by sending true/false conditions.
Example Attack Input (Boolean-Based SQLi):
' OR 1=1 --
If the application responds with different behavior for true and false conditions, attackers can infer database details.
Example Attack Input (Time-Based SQLi):
' OR IF(1=1, SLEEP(5), NULL) --
If the response is delayed by 5 seconds, it confirms SQLi vulnerability.
3. Union-Based SQL Injection
Uses the UNION SQL operator to combine results from multiple queries.
Example Attack Input:
' UNION SELECT username, password FROM users --
This forces the application to return usernames and passwords from the database.
4. Out-of-Band SQL Injection
Occurs when an attacker cannot see direct responses but can send HTTP requests, DNS queries, or emails to extract data.
Example Attack Input:
' UNION SELECT 1, LOAD_FILE('/etc/passwd') --
Attempts to read sensitive system files.
Consequences of SQL Injection
Data Theft: Attackers extract usernames, passwords, credit card details.
Authentication Bypass: Attackers log in as admins without credentials.
Data Manipulation: Attackers alter, delete, or corrupt records.
Database Takeover: Attackers gain full database control, installing backdoors.
System Compromise: Attackers execute OS-level commands via advanced SQLi.
How to Prevent SQL Injection
1. Use Prepared Statements (Parameterized Queries)
Prepared statements separate SQL code from user input, making injection impossible.
Vulnerable Query:
"SELECT * FROM users WHERE username = '" + userInput + "' AND password = '" + userPass + "'"
Secure Query with Parameterized Statements (Python Example):
cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (userInput, userPass))
2. Use ORM (Object-Relational Mapping)
ORM frameworks like SQLAlchemy, Hibernate, and Django ORM prevent direct SQL execution.
Example (Django ORM):
User.objects.filter(username=userInput, password=userPass)
3. Validate and Sanitize User Input
- Allow only expected characters (e.g., restrict usernames to letters and numbers).
- Reject special characters like
',",--,;,/*,*/.
4. Limit Database Privileges
- Use least privilege principles (e.g., avoid running apps with
rootoradminaccess). - Restrict
SELECT,UPDATE,DELETE,INSERTpermissions based on necessity.
5. Use Web Application Firewalls (WAFs)
WAFs like ModSecurity, Cloudflare, and AWS WAF can block SQLi attempts.
6. Monitor and Log SQL Queries
- Use SIEM (Security Information and Event Management) tools.
- Implement database activity monitoring (DAM) to detect anomalies.
SQL Injection Tools (For Ethical Hacking & Testing)
SQLmap – Automates SQL Injection detection & exploitation.
Havij – GUI-based SQLi tool for penetration testers.
SQLNinja – Exploits MS SQL Server vulnerabilities.