SQL injection is a code injection technique used to attack data-driven applications. It occurs when malicious SQL statements are inserted into an input field and executed by the application, for example to dump database contents to an attacker. SQL injection exploits security vulnerabilities in an application’s software, typically when user input is improperly filtered for SQL escape characters or when input is not strongly typed and is executed unexpectedly. While SQL injection is most commonly associated with web applications, it can be used to attack any system that relies on an SQL database.
SQL injection attacks can have severe consequences. They may allow attackers to spoof identities, tamper with existing data, and cause repudiation issues such as voiding transactions or altering account balances. In more serious cases, attackers can gain full disclosure of all data on the system, destroy data or make it unavailable, and even obtain administrative control of the database server.
To execute malicious SQL queries, an attacker must first identify an input within the web application that is incorporated directly into an SQL query. For an SQL injection vulnerability to exist, the application must include user-supplied input in an SQL statement without proper validation or parameterization. An attacker can then insert a crafted payload that becomes part of the SQL query executed by the database server.
The following server-side pseudocode illustrates how a web application might authenticate users. SQL is a programming language designed to manage data stored in a relational database management system (RDBMS). As such, it can be used to retrieve, modify, and delete data. In certain configurations, an RDBMS may also be capable of executing operating system commands through SQL statements.
With this in mind, it becomes easier to understand how lucrative a successful SQL injection attack can be for an attacker.
An attacker can use SQL injection to bypass authentication mechanisms or impersonate legitimate users. Since one of SQL’s primary functions is to select data based on queries, an SQL injection vulnerability may result in the complete disclosure of data stored on a database server. Because web applications rely on SQL to modify data, attackers can also alter database contents, compromising data integrity and causing repudiation issues such as voided transactions or modified balances. Additionally, SQL is used to delete records; an attacker could exploit an SQL injection vulnerability to remove data entirely. Even with proper backup strategies in place, data deletion can affect application availability until restoration is complete.
Some database servers are configured—intentionally or otherwise—to allow execution of operating system commands. Under the right conditions, an attacker could use SQL injection as an initial attack vector to compromise internal systems located behind a firewall.
An SQL injection vulnerability requires only two conditions: a relational database that uses SQL and a user-controllable input that is directly incorporated into an SQL query.
In the following example, it is assumed that the attacker’s goal is to exfiltrate data from a database by exploiting an SQL injection vulnerability in a web application.
Providing malformed input to an SQL query—such as supplying a string when an integer is expected or deliberately causing a syntax error—can cause the database server to return an error. While error messages are useful during development, enabling them on a production system can expose sensitive information. SQL errors are often descriptive enough to reveal details about the database structure, and in some cases, attackers can enumerate an entire database using error messages alone. This technique is known as error-based SQL injection. For this reason, database errors should be disabled on live systems or logged to files with restricted access.
Another common data exfiltration technique involves the SQL UNION operator, which allows the results of multiple SELECT statements to be combined into a single result set. By exploiting this behavior, an attacker can force the application to return sensitive data within the HTTP response. This technique is known as union-based SQL injection.