SQL Injection
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/sql-injection/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/sql-injection/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/sql-injection/)Use the native HTML custom element.
Definition
A code injection attack that inserts malicious SQL statements into application input fields to manipulate or extract data from a backend database. Prevented by parameterized queries and input validation.
How SQL Injection Works
SQL Injection (SQLi) occurs when user-supplied input is concatenated directly into a database query without sanitization. An attacker inserts SQL metacharacters — quotes, comment sequences, boolean operators — to alter query logic. A simple ' OR '1'='1 can bypass a login form; a UNION SELECT attack can dump entire database tables; a ;DROP TABLE can destroy data.
Attack Variants
| Type | Technique | Visibility |
|---|---|---|
| In-band | Results returned in HTTP response | High |
| Blind boolean | Infer data from true/false responses | Low |
| Time-based blind | Infer data from response delay | Low |
| Out-of-band | Exfiltrate via DNSDomain Name System. The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34). Often called the "phonebook of the internet." or HTTP callbacks | Stealthy |
Out-of-band SQLi is particularly dangerous because it bypasses WAFWeb Application Firewall. A security layer that filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application, protecting against attacks like SQL injection, XSS, and CSRF at the application layer. rules that look only at HTTP responses — the data leaves through a secondary channel like DNS.
Prevention
The only reliable fix is parameterized queries (prepared statements) — the database driver handles escaping, making injection structurally impossible. Complementary controls include:
- WAF — blocks known SQLi patterns at the HTTP layer
- Least privilege — database accounts should not have
DROPorFILErights - Penetration TestingAn authorized simulated cyberattack on a system to evaluate its security posture and identify vulnerabilities before real attackers do. Pen tests range from automated vulnerability scans to full red-team engagements. — automated scanners (sqlmap) and manual review find overlooked injection points
XSSCross-Site Scripting. A web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can steal session cookies, redirect users, or deface websites; mitigated by output encoding and CSP headers. often co-occurs with SQLi in vulnerable applications — fixing one class of injection improves overall security posture.