SQL Injection

What is SQL Injection?

SQL Injection (SQLi) is a web security vulnerability that allows attackers to interfere with the queries that an application makes to its database. It allows attackers to view, modify, or delete data that they shouldn't have access to.

🎯 OWASP Ranking

SQL Injection has been consistently ranked in the OWASP Top 10 as one of the most critical web application security risks.

How SQL Injection Works

SQL Injection occurs when user input is not properly sanitized and is directly included in SQL queries. Attackers can manipulate the input to change the query's structure and behavior.

                            # Vulnerable Code Example

                            query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";

                            # If username = 'admin'-- and password = anything

                            Resulting query: SELECT * FROM users WHERE username = 'admin'--' AND password = 'anything'

                            # The -- comments out the rest of the query, bypassing password check

Types of SQL Injection

In-band SQLi

Attackers use the same communication channel to launch attacks and gather results.

Error-based

Relies on error messages from the database to gather information

Union-based

Uses UNION SQL operator to combine results from multiple queries

Inferential (Blind) SQLi

No data is transferred, but attackers can reconstruct information by observing behavior.

Boolean-based

Uses boolean conditions to infer information from application responses

Time-based

Uses database wait functions to infer information based on response times

Out-of-band SQLi

Uses different channels for attack and data retrieval, often through DNS or HTTP requests.

Potential Impact

Consequences

Unauthorized access to sensitive data
Authentication bypass
Data manipulation or deletion
Complete database compromise
Remote code execution
Denial of service attacks

Prevention and Mitigation

Parameterized Queries

Use prepared statements with parameterized queries to separate SQL code from data.

                            # Safe Code Example (Python)

                            cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))

                            # Safe Code Example (Java)

                            PreparedStatement stmt = connection.prepareStatement("SELECT * FROM users WHERE username = ? AND password = ?");

                            stmt.setString(1, username);

                            stmt.setString(2, password);

Input Validation

Whitelist Validation

Only allow known good input patterns

Type Checking

Ensure input matches expected data types

Length Limits

Restrict input length to reasonable limits

Additional Measures

Defense in Depth

Use stored procedures
Implement proper error handling
Apply the principle of least privilege
Use web application firewalls (WAF)
Regular security testing and code reviews

Testing for SQL Injection

Manual Testing

Using single quotes, UNION statements, and other SQL constructs

Automated Tools

SQLmap, Burp Suite, OWASP ZAP, and other security scanners

Code Review

Static analysis of application code for vulnerable patterns