IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. SQL Injection (SQLi)
InjectionCritical

SQL Injection (SQLi)

Also known as: SQLi

SQL Injection occurs when user-controlled input is incorporated into a SQL statement without proper parameterization, allowing an attacker to change the structure of the query. Depending on the database and context, this can expose entire tables, bypass authentication, modify records, or in some configurations lead to command execution on the database host.

CWE
CWE-89
OWASP
A03:2021
CAPEC
CAPEC-66
MITRE ATT&CK
T1190

How it works

  1. 1The application builds a SQL query by concatenating user input directly into the statement.
  2. 2The attacker supplies input containing SQL syntax (quotes, comments, boolean or UNION clauses).
  3. 3The database parses the injected syntax as part of the query.
  4. 4The attacker extracts data (UNION/blind techniques), bypasses auth, or alters records.

Example

-- Vulnerable: string concatenation
SELECT * FROM users WHERE email = '$input';

-- Attacker input:  ' OR '1'='1' --
SELECT * FROM users WHERE email = '' OR '1'='1' --';
A tautology-based authentication bypass.

Impact

SQLi can result in full database disclosure, authentication bypass, data tampering, and - with sufficient privileges - remote code execution on the database server.

Remediation

  • Use parameterized queries / prepared statements for all database access.
  • Prefer well-audited ORMs and avoid dynamic query string building.
  • Apply least-privilege database accounts so an injection cannot escalate.
  • Validate and canonicalize input, but never rely on validation as the primary control.

Detection & testing

Fuzz parameters with SQL metacharacters and observe errors, boolean-based response differences, or time delays. Confirm exploitability with a safe, reproducible proof rather than error strings alone.

Impactr tests for SQL Injection (SQLi) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for SQLi

Tools

ImpactrsqlmapBurp SuiteNuclei

Frequently asked questions

Do prepared statements fully prevent SQL injection?

Parameterized queries prevent injection for data values. You still must be careful with dynamic identifiers (table/column names) and ORDER BY clauses, which cannot be parameterized and need allowlisting.

Related concepts

OS Command InjectionCross-Site Scripting (XSS)Insecure Deserialization
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub