SQL Injection (SQLi)
Also known as: SQLi
SQL Injection occurs when user-controlled input is incorporated into a SQL statement without proper parameterization, allowing an attacker to change the structure of the query. Depending on the database and context, this can expose entire tables, bypass authentication, modify records, or in some configurations lead to command execution on the database host.
How it works
- 1The application builds a SQL query by concatenating user input directly into the statement.
- 2The attacker supplies input containing SQL syntax (quotes, comments, boolean or UNION clauses).
- 3The database parses the injected syntax as part of the query.
- 4The attacker extracts data (UNION/blind techniques), bypasses auth, or alters records.
Example
-- Vulnerable: string concatenation
SELECT * FROM users WHERE email = '$input';
-- Attacker input: ' OR '1'='1' --
SELECT * FROM users WHERE email = '' OR '1'='1' --';Impact
SQLi can result in full database disclosure, authentication bypass, data tampering, and - with sufficient privileges - remote code execution on the database server.
Remediation
- Use parameterized queries / prepared statements for all database access.
- Prefer well-audited ORMs and avoid dynamic query string building.
- Apply least-privilege database accounts so an injection cannot escalate.
- Validate and canonicalize input, but never rely on validation as the primary control.
Detection & testing
Fuzz parameters with SQL metacharacters and observe errors, boolean-based response differences, or time delays. Confirm exploitability with a safe, reproducible proof rather than error strings alone.
Impactr tests for SQL Injection (SQLi) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.
Test my app for SQLiTools
Frequently asked questions
Do prepared statements fully prevent SQL injection?
Parameterized queries prevent injection for data values. You still must be careful with dynamic identifiers (table/column names) and ORDER BY clauses, which cannot be parameterized and need allowlisting.