SQL Injection
detect, understand, remediate
SQL injection allows attackers to manipulate database queries through unsanitised user input, potentially leading to full data breaches, authentication bypass, and remote code execution.
No credit card required. Free plan available forever.
What is SQL injection?
SQL injection (SQLi) is a code injection technique that exploits vulnerabilities in an application's database layer. When user-supplied input is incorporated into SQL queries without proper sanitisation, an attacker can modify the query logic to access, modify, or delete data they should not have access to.
SQLi consistently ranks among the most dangerous web application vulnerabilities. A successful attack can result in complete database compromise, including theft of credentials, personal data, financial records, and intellectual property. In severe cases, attackers can escalate from database access to operating system command execution.
Despite being well-understood for over two decades, SQL injection remains prevalent because developers continue to build queries using string concatenation rather than parameterised statements, and legacy applications often lack the protections that modern frameworks provide by default.
How it works
Identify input point
Attacker finds a form field, URL parameter, or API input that is passed to a database query.
Inject SQL syntax
Malicious SQL is injected (such as a single quote to break the query, or UNION SELECT to extract data from other tables).
Query executes
The server builds a query incorporating the attacker's input without sanitisation and sends it to the database.
Data exfiltrated
The database returns unauthorised data, or the attacker modifies/deletes records, bypasses authentication, or executes system commands.
Common causes
String concatenation in queries
Building SQL queries by concatenating user input directly into the query string instead of using parameterised statements.
Lack of input validation
Accepting and processing user input without validating its type, length, format, or range against expected values.
Overprivileged database accounts
Application database accounts with unnecessary permissions (e.g. DROP, GRANT) that amplify the impact of injection.
Legacy code and ORMs misuse
Older applications without parameterised queries, or developers bypassing ORM protections with raw query methods.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests for error-based, boolean-based, and time-based blind SQLi across all discovered endpoints
- SAST scanners (like SecPortal's Semgrep-powered code scanner) identify vulnerable query patterns in source code
- SCA scanners check for known SQLi vulnerabilities in database libraries and ORMs
Manual testing
- Insert single quotes, double quotes, and SQL keywords into input fields to trigger error messages
- Use time-based payloads (e.g. SLEEP(5)) to detect blind injection where errors are suppressed
- Test UNION-based extraction to confirm the ability to read data from other database tables
How to fix it
Use parameterised queries (prepared statements)
The most effective defence. Parameterised queries separate SQL code from data, making injection impossible regardless of the input.
Implement input validation
Validate all user input against an allow-list of expected values, types, and formats. Reject anything that does not match.
Apply least privilege to database accounts
Application database accounts should only have the minimum permissions needed. Never use the DBA or root account for application queries.
Use ORM frameworks correctly
Modern ORMs parameterise queries by default. Avoid raw query methods and ensure any custom SQL uses parameterised statements.
Deploy a web application firewall (WAF)
A WAF provides an additional layer of defence by detecting and blocking common SQLi patterns, but should not be the sole protection.
Compliance impact
Detect SQL injection automatically
SecPortal's authenticated scanner tests for error-based, boolean-based, and time-based blind SQL injection. Start scanning for free.
No credit card required. Free plan available forever.