SQL Injection (SQLi)
SQL Injection is a code injection technique that exploits vulnerabilities in an application's database layer by inserting malicious SQL statements into input fields. Attackers can read, modify, or delete database contents, bypass authentication, and in some cases execute commands on the underlying operating system.
How SQL Injection (SQLi) Works
SQL Injection occurs when user-supplied data is included in a SQL query without proper sanitization or parameterization. The attacker crafts input that changes the intended SQL logic.
Identify injection point
The attacker finds an input field (login form, search box, URL parameter) that is directly concatenated into a SQL query without sanitization.
Craft malicious payload
A specially crafted string such as ' OR '1'='1 is constructed to alter the SQL query's logic, turning a WHERE clause into one that always evaluates to true.
Execute the injection
The payload is submitted through the vulnerable input. The database server executes the modified query, returning unauthorized data or performing unintended operations.
Exfiltrate or manipulate data
Using UNION-based queries, error-based extraction, or blind techniques, the attacker retrieves sensitive data such as credentials, personal information, or financial records.
Real-World Examples
Heartland Payment Systems breach
130 million credit card numbers stolen via SQL injection. The breach cost Heartland over $140 million in compensatory payments.
Sony Pictures hack
Personal data of 77 million PlayStation Network accounts compromised. Service was offline for 23 days, costing Sony an estimated $171 million.
MOVEit Transfer vulnerability (CVE-2023-34362)
A critical SQL injection in MOVEit Transfer affected over 2,500 organizations and 67 million individuals globally. Exploited by the Cl0p ransomware group.
Impact & Risk Assessment
SQL Injection remains the most dangerous web application vulnerability. Successful exploitation can lead to complete database compromise, unauthorized access to sensitive data, data manipulation or destruction, authentication bypass, and in severe cases, full server takeover. The financial impact ranges from regulatory fines (GDPR, PCI-DSS) to reputational damage and loss of customer trust.
How to Detect SQL Injection (SQLi)
Monitor application logs for suspicious SQL syntax in input fields. Look for unusual error messages containing database schema information. Deploy Web Application Firewalls (WAF) with SQL injection rule sets. Use database activity monitoring (DAM) to flag anomalous queries. Implement runtime application self-protection (RASP) for real-time detection. Key indicators include single quotes, UNION SELECT statements, OR 1=1 patterns, comment sequences (--), and time-based blind payloads (SLEEP, WAITFOR).
How to Prevent SQL Injection (SQLi)
Use parameterized queries (prepared statements) for all database interactions — this is the primary defense. Apply input validation with allowlists for expected data formats. Implement the principle of least privilege for database accounts. Keep database software and drivers updated. Use stored procedures as an additional layer of abstraction. Employ ORM frameworks that handle parameterization automatically. Disable detailed error messages in production to prevent information leakage.
Code Examples
-- Vulnerable: user input concatenated directly
query = "SELECT * FROM users
WHERE username = '" + userInput + "'
AND password = '" + passInput + "'";
-- Attacker input: ' OR '1'='1' --
-- Resulting query:
SELECT * FROM users
WHERE username = '' OR '1'='1' --'
AND password = '';
import psycopg2
# SAFE: parameterized query
cursor.execute(
"SELECT * FROM users WHERE username = %s AND password = %s",
(username, hashed_password)
)
// SAFE: using parameterized query with pg
const result = await pool.query(
'SELECT * FROM users WHERE username = $1 AND password = $2',
[username, hashedPassword]
);
PowerWAF automatically blocks SQL Injection (SQLi) at the edge.
Deploy in minutes. No code changes required. Free plan available.
Free plan spots are limited