warning High Severity Vulnerability

What is SQL Injection?

SQL Injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries an application makes to its database.

The Core Issue: It occurs when untrusted user input is directly concatenated into a database query string instead of being handled as data. This allows attackers to manipulate the SQL statement to view, modify, or delete data they shouldn't access.

play_circle Try the Simulator shield See Defenses
SQL Injection Abstract Illustration

How It Works

The vulnerability lies in how the computer interprets instructions versus data.

terminal

1. The Command

A database speaks SQL (Structured Query Language). It expects commands like SELECT or DROP to tell it what to do.

input

2. The Input

Websites ask users for input (username, search terms). This input is meant to be passive data used by the command.

broken_image

3. The Injection

If not sanitized, an attacker can input SQL characters (like ') to "break out" of the data area and write new commands.

Interactive Lab

SQL Injection Simulator

See exactly what happens inside the database when you log in. Try to bypass the login without a password.

Login Page

web

Try entering ' OR '1'='1 in the username field.

Target Database Table: "users"

ID Username Password
1 admin ***
2 alice ***
backend_server.js
// ⚠️ VULNERABLE CODE: Concatenating strings directly
const query =
  "SELECT * FROM users WHERE username = '" + inputUser + "' AND password = '" + inputPass + "'";
Final Query Executed by DB:
SELECT * FROM users WHERE username = '' AND password = ''

dns Database Response

Waiting for query...

How to Defend Against SQLi

Defense is not about filtering "bad" characters. It's about separating data from commands.

verified_user

1. Parameterized Queries (Prepared Statements)

The Gold Standard

Instead of stitching strings together, you use placeholders (like ? or :id). The database driver sends the SQL template first, then the data separately. The database treats the input purely as data, never as executable code.

# Python (Safe)
sql = "SELECT * FROM users WHERE id = %s"
cursor.execute(sql, (user_input, )) // Safe
rule

2. Input Validation & Least Privilege

Defense in Depth

Validation: Ensure input matches expected types (e.g., ensure an age is an integer).
Least Privilege: The database user used by the web app should only have permissions it needs. It should never be root or sa.

  • check Whitelist allowed characters
  • check Use ORM (Object Relational Mapping) libraries

Types of SQL Injection

In-Band (Classic)

The attacker uses the same communication channel to launch the attack and gather results. (e.g., seeing data in the web page itself).

Inferential (Blind)

No data is transferred via the web application. The attacker reconstructs the database structure by sending payloads and observing the web app's response/behavior (like time delays).

Out-of-Band

The attacker cannot use the same channel to launch the attack and gather results. They might make the DB send an HTTP request to a server they control.