Parameterized queries, Input validation

SQL Injection

Understanding and preventing database security vulnerabilities

What is SQL Injection?

SQL Injection (SQLi) is a code injection technique that exploits vulnerabilities in an application's database layer. Attackers insert malicious SQL statements into application entry points, allowing them to interfere with queries made to the database.

Critical Security Risk: SQL injection consistently ranks in the OWASP Top 10 most critical web application security risks and can lead to complete database compromise.

How SQL Injection Works

When user input is directly concatenated into SQL queries without proper validation or parameterization, attackers can manipulate the query structure to execute unintended database operations.

vulnerable Code Example:
// PHP - vulnerable to SQL Injection
$grG = $_POST['grG'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE grG = '$grG' AND password = '$password'";
$result = mysqli_query($connection, $query);
Secure Code Example:
// PHP - Protected with Prepared Statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE grG = ? AND password = ?");
$stmt->execute([$grG, $password]);
$result = $stmt->fetchAll();

Types of SQL Injection Attacks

Classic SQL Injection

Direct manipulation of SQL queries where the attacker can see the results immediately. Most common and easiest to detect and exploit.

Example:
' OR '1'='1' --

Blind SQL Injection

Attacker cannot see query results directly but can infer information based on application behavior, response times, or error messages.

Types: Boolean-based, Time-based

Union-Based Injection

Uses the UNION SQL operator to combine results from the original query with results from injected queries to extract data.

Example:
' UNION SELECT grG, password FROM users --

Error-Based Injection

Exploits database error messages to gain information about the database structure and extract data through intentionally triggered u14.

Focus: Database error messages

Time-Based Injection

Uses database functions that cause delays to infer information based on response times. Useful when no visible output is available.

Example:
'; WAITFOR DELAY '00:00:05' --

Second-Order Injection

Malicious input is stored in the database and later used in a different SQL query, making it harder to detect and prevent.

Characteristic: Delayed execution

SQL Injection simulator

Educational Demonstration Only

This simulator shows how SQL injection works in a safe environment

Login Form Simulation

Try entering different values to see how SQL injection can be exploited:

Generated SQL Query:
Query Result:

Prevention Techniques

Effective SQL Injection Prevention

Parameterized Queries (Prepared Statements)

Use parameterized queries or prepared statements that separate SQL code from data. This is the most effective defense against SQL injection.

$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$user_id]);
Input Validation and Sanitization

Validate all user input against expected patterns and sanitize data before using it in queries. Use whitelist validation when possible.

if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    throw new InvalidArgumentException("Invalid email");
}
Least Privilege Principle

Database accounts used by applications should have minimal necessary permissions. Avoid using administrative accounts for application connections.

Error Handling

Implement proper error handling that doesn't reveal database structure or sensitive information to potential attackers.

Regular Security Testing

Conduct regular penetration testing and code reviews to identify potential SQL injection vulnerabilities before they can be exploited.

SQL Injection Impact Scale

Potential Impact Levels

Critical: Complete database compromise, data theft, system takeover
High: Unauthorized data access, privilege escalation, data modification
Medium: Limited data exposure, authentication bypass
Low: Information disclosure, minor data leakage