Injection SQL
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/sql-injection/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>
Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/sql-injection/
Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/sql-injection/)
Use the native HTML custom element.
Définition
Une attaque par injection de code qui insère des instructions SQL malveillantes dans les champs de saisie d'application pour manipuler ou extraire des données d'une base de données backend. Prévenu par des requêtes paramétrées et la validation des entrées.
How SQL Injection Works
SQL Injection (SQLi) occurs when user-supplied input is concatenated directly into a database query without sanitization. An attacker inserts SQL metacharacters — quotes, comment sequences, boolean operators — to alter query logic. A simple ' OR '1'='1 can bypass a login form; a UNION SELECT attack can dump entire database tables; a ;DROP TABLE can destroy data.
Attack Variants
| Type | Technique | Visibility |
|---|---|---|
| In-band | Results returned in HTTP response | High |
| Blind boolean | Infer data from true/false responses | Low |
| Time-based blind | Infer data from response delay | Low |
| Out-of-band | Exfiltrate via DNSDomain Name System. The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34). Often called the "phonebook of the internet." or HTTP callbacks | Stealthy |
Out-of-band SQLi is particularly dangerous because it bypasses WAFWeb Application Firewall. A security layer that filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application, protecting against attacks like SQL injection, XSS, and CSRF at the application layer. rules that look only at HTTP responses — the data leaves through a secondary channel like DNS.
Prevention
The only reliable fix is parameterized queries (prepared statements) — the database driver handles escaping, making injection structurally impossible. Complementary controls include:
- WAF — blocks known SQLi patterns at the HTTP layer
- Least privilege — database accounts should not have
DROPorFILErights - Penetration TestingAn authorized simulated cyberattack on a system to evaluate its security posture and identify vulnerabilities before real attackers do. Pen tests range from automated vulnerability scans to full red-team engagements. — automated scanners (sqlmap) and manual review find overlooked injection points
XSSCross-Site Scripting. A web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can steal session cookies, redirect users, or deface websites; mitigated by output encoding and CSP headers. often co-occurs with SQLi in vulnerable applications — fixing one class of injection improves overall security posture.