SQL injection is a code injection technique that exploits security vulnerabilities in a website's database layer. It occurs when user-supplied input is incorporated into SQL queries without proper validation or parameterization.
Web applications often build SQL queries by concatenating strings with user input:
# Vulnerable code example
username = request.form['username']
password = request.form['password']
query = f"SELECT * FROM users WHERE username='username}' AND password='password}'"
db.execute(query)
When an attacker submits malicious input like ' OR '1'='1 as the username, the query becomes:
SELECT * FROM users WHERE username='' OR '1'='1' AND password='anything'
This query returns all users because '1'='1' is always true, potentially bypassing authentication.
Username: admin'--
Password: anything
Query becomes: SELECT * FROM users WHERE username='admin'--' AND password='anything'
The -- comments out the password check.
Input: ' UNION SELECT null, database_name, null FROM master.databases--
This extracts database names by combining results.
Input: ' AND 1=CONVERT(int, (SELECT @@version))--
Forces database error messages that reveal system information.
Input: ' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--
Tests character-by-character to extract data without visible output.
Input: '; WAITFOR DELAY '00:00:05'--
Measures response time to infer query results.
• **Data Breach**: Access to sensitive information (passwords, personal data)
• **Authentication Bypass**: Login without valid credentials
• **Data Manipulation**: Modify or delete database records
• **Privilege Escalation**: Gain administrative access
• **Remote Code Execution**: Execute system commands in some databases
• **Data Exfiltration**: Export entire databases
# Secure approach
cursor.execute("SELECT * FROM users WHERE username=? AND password=?",
(username, password))
• Whitelist acceptable characters
• Validate data types and formats
• Escape special characters
• Use stored procedures
• Database accounts should have minimal necessary permissions
• Separate read/write permissions
• Use different accounts for different application functions
• Web Application Firewalls (WAF)
• Input sanitization libraries
• Regular security testing
• Database activity monitoring