SQL Injection (SQLi) Guide

Learn how attackers manipulate SQL queries to bypass authentication, extract data, and modify databases.

🎯 What is SQL Injection?

SQL Injection occurs when an attacker inserts malicious SQL code into user input fields, allowing them to execute unintended database queries. It happens because applications concatenate user input directly into SQL statements without proper validation or parameterized queries.

Impact: Authentication bypass, data theft, data modification, denial of service, and potential complete database compromise.

💥 How It Works

When an app builds SQL queries using string concatenation:

query = "SELECT * FROM users WHERE username='" + userInput + "'"

An attacker can inject SQL syntax by providing input like: ' OR '1'='1

SELECT * FROM users WHERE username='' OR '1'='1'

The condition '1'='1' is always true, causing the query to return all users instead of just one.

🔍 Common SQLi Patterns
1. Authentication Bypass

Skip login by making the WHERE clause always true or bypassing password checks:

Input: ' OR '1'='1
Query: SELECT * FROM users WHERE username='' OR '1'='1'
Result: Returns first user in database (often admin)
2. UNION-Based Injection

Combine attacker-controlled query results with legitimate results to exfiltrate data:

Input: ' UNION SELECT username, password FROM admin_users --
Result: Legitimate results + admin credentials in same response
3. Boolean-Based Blind SQLi

When no output is visible, use boolean conditions to extract data bit by bit:

Test: ' AND SUBSTRING(password,1,1)='a' --
If page changes (true), first character is 'a'
If page stays same (false), first character is not 'a'
Repeat for each character to extract full password
⚠️ Why is SQLi So Dangerous?
  • Authentication Bypass: Access accounts without credentials
  • Data Exfiltration: Extract entire databases (credit cards, passwords, PII)
  • Data Modification: Change records, prices, permissions, user roles
  • Privilege Escalation: Promote unprivileged accounts to admin
  • Denial of Service: Delete data or lock critical tables
  • Remote Code Execution: Some databases allow writing files or executing system commands
🛡️ How to Prevent SQLi
  • Parameterized Queries / Prepared Statements: Use bound parameters instead of string concatenation
  • Input Validation: Whitelist expected input formats (email, phone, etc.)
  • Escape User Input: Use database-specific escaping functions (last resort)
  • Least Privilege: Run database with minimal necessary permissions
  • Web Application Firewall (WAF): Detect and block common SQLi patterns
  • Error Handling: Don't expose database errors to users (reveals schema)
📚 Real-World Examples

Sony Pictures (2014): SQLi vulnerability exposed employee data

TalkTalk (2015): SQLi attack exposed 4 million customers' personal information

Yahoo (2013): SQLi used in chain of exploits affecting 3 billion accounts

🧪 Lab Progression

Lab 00 - Login Bypass: Use basic OR injection to bypass authentication

Lab 10 - UNION Extraction: Extract multiple columns via UNION-based injection

Lab 20 - Blind Boolean: Extract data without visible output using conditional logic

These labs are isolated and safe—no system commands, no actual database damage.