SQL injection is a vulnerability that occurs when an application incorporates user-supplied input into SQL queries without proper sanitization or parameterization. An attacker can manipulate the query's logic to bypass authentication, extract sensitive data, modify or delete database records, and in some cases execute operating system commands on the database server.
How It Works
When an application builds SQL queries by concatenating user input directly into the query string, the database engine cannot distinguish between the intended query structure and the injected SQL code. A login form that constructs SELECT * FROM users WHERE username = ' + input + ' AND password = ' + input + ' can be bypassed by submitting admin'-- as the username. The -- sequence comments out the rest of the query, eliminating the password check entirely.
SQL injection comes in several variants. Union-based injection uses the UNION SELECT statement to append additional queries and extract data from other tables. Error-based injection leverages database error messages that reveal information about the database structure. Blind injection is used when the application does not display query results or errors; the attacker infers information by asking true/false questions through the query and observing differences in the application's behavior or response timing.
Second-order SQL injection occurs when user input is stored safely in the database but later retrieved and incorporated into a query without parameterization. The initial input passes all validation because it is not immediately used in a query, but when it is later fetched and concatenated into a different query, the injection executes. This variant is particularly difficult to detect because the injection point and the execution point are separated.
Why It Matters
SQL injection has been a top vulnerability for over two decades and continues to appear in modern applications. A single injectable parameter can expose an entire database, including user credentials, personal data, and business-critical information. The definitive prevention is parameterized queries (prepared statements), which structurally separate the query logic from the data values. Security assessments test every data input that interacts with a database because the impact of SQL injection is consistently severe.
Need your application tested? Get in touch.