SQL Injection Attacks - Technical Explanation

What is SQL Injection?

SQL injection is a code injection technique that exploits security vulnerabilities in a website's database layer. It occurs when user-supplied input is incorporated into SQL queries without proper validation or parameterization.

How SQL Injection Works

1. The Vulnerability

Web applications often build SQL queries by concatenating strings with user input:

# Vulnerable code example
username = request.form['username']
password = request.form['password']
query = f"SELECT * FROM users WHERE username='username}' AND password='password}'"
db.execute(query)

2. The Attack

When an attacker submits malicious input like ' OR '1'='1 as the username, the query becomes:

SELECT * FROM users WHERE username='' OR '1'='1' AND password='anything'

This query returns all users because '1'='1' is always true, potentially bypassing authentication.

3. Common Attack Vectors

Basic Authentication Bypass

Username: admin'--
Password: anything

Query becomes: SELECT * FROM users WHERE username='admin'--' AND password='anything'

The -- comments out the password check.

Union-based Attacks

Input: ' UNION SELECT null, database_name, null FROM master.databases--

This extracts database names by combining results.

Error-based Injection

Input: ' AND 1=CONVERT(int, (SELECT @@version))--

Forces database error messages that reveal system information.

Blind Injection (Boolean-based)

Input: ' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--

Tests character-by-character to extract data without visible output.

Time-based Blind Injection

Input: '; WAITFOR DELAY '00:00:05'--

Measures response time to infer query results.

4. Impact and Consequences

• **Data Breach**: Access to sensitive information (passwords, personal data)

• **Authentication Bypass**: Login without valid credentials

• **Data Manipulation**: Modify or delete database records

• **Privilege Escalation**: Gain administrative access

• **Remote Code Execution**: Execute system commands in some databases

• **Data Exfiltration**: Export entire databases

5. Prevention Methods

Use Parameterized Queries (Prepared Statements)

# Secure approach
cursor.execute("SELECT * FROM users WHERE username=? AND password=?", 
               (username, password))

Input Validation

• Whitelist acceptable characters

• Validate data types and formats

• Escape special characters

• Use stored procedures

Principle of Least Privilege

• Database accounts should have minimal necessary permissions

• Separate read/write permissions

• Use different accounts for different application functions

Additional Defenses

• Web Application Firewalls (WAF)

• Input sanitization libraries

• Regular security testing

• Database activity monitoring