SQL injection (SQLi) is one of the oldest and most dangerous web application vulnerabilities. It occurs when user-supplied input is incorporated into a database query without proper sanitisation, allowing the attacker to modify the query's logic.
How SQL Injection Works
Consider a login form that builds a query like this:
SELECT * FROM users WHERE username = 'INPUT' AND password = 'INPUT'If an attacker enters ' OR '1'='1 as the username, the query becomes:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '...'Since '1'='1' is always true, this returns all users, potentially granting admin access without a valid password.
What Attackers Can Achieve
- Bypass authentication and access accounts.
- Extract sensitive data (passwords, credit cards, personal information).
- Modify or delete database records.
- Execute operating system commands (in some configurations).
- Read or write files on the server.
Prevention
- Parameterised queries (prepared statements) — The single most effective prevention. Parameters are treated as data, never as SQL code.
- ORM frameworks — Entity Framework, Hibernate, etc. use parameterised queries by default.
- Input validation — Reject unexpected input patterns.
- Least privilege — Database accounts used by applications should only have the permissions they need.
- WAF — A Web Application Firewall can detect and block common injection patterns.