100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Security

SQL Injection Explained

Learn how attackers manipulate SQL queries by injecting malicious input, and why this remains one of the most dangerous web application vulnerabilities.

Injection & InputBeginner9 min readJul 10, 2026
Analogies

What Is SQL Injection?

SQL Injection (SQLi) occurs when an application builds a database query by directly concatenating untrusted user input into a SQL string instead of treating that input as pure data. Because the database cannot tell the difference between the developer's intended SQL and the attacker's injected fragment, a crafted string like ' OR '1'='1 can change the logic of a query, bypass authentication, or expose data the application never meant to reveal.

🏏

Cricket analogy: It is like a scorer who copies whatever a spectator shouts into the official scorebook without checking it first; if someone yells 'erase all of Kohli's dismissals', the scorebook literally changes because the scorer never validated the input.

How Attackers Exploit It

A classic exploitation pattern is the tautology attack: an attacker submits a login username of admin' -- so the trailing SQL comment (--) strips out the password check entirely, or submits ' OR '1'='1 in a search field so the WHERE clause always evaluates true and returns every row in the table. More advanced attackers use UNION-based injection to append a second SELECT statement that pulls data from unrelated tables, such as a users table containing password hashes, by matching the column count and types of the original query.

🏏

Cricket analogy: It is like a fielder appealing 'howzat, and also give me the opposition captain's wicket too' — the umpire, following a flawed process, upholds both because the appeal format was never restricted to one valid claim.

javascript
// VULNERABLE: user input concatenated directly into the SQL string
const username = req.body.username; // attacker sends: admin' --
const password = req.body.password;

const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
db.query(query, (err, rows) => {
  if (rows.length > 0) {
    // attacker is now authenticated as admin without knowing the password
    res.send('Login successful');
  }
});

Types of SQL Injection

In-Band, Blind, and Out-of-Band

In-band SQLi (error-based or UNION-based) returns results directly in the application's HTTP response, making it fast to exploit. Blind SQLi gives no direct output, forcing attackers to infer data one bit at a time using boolean conditions (does the page behave differently when a guessed character is correct?) or time delays (does the response take five extra seconds because a crafted SLEEP(5) executed?). Out-of-band SQLi is used when neither channel is available, relying on the database server itself to make a DNS or HTTP request back to an attacker-controlled server to exfiltrate data.

🏏

Cricket analogy: Blind SQLi is like guessing a pitch report by watching whether the ball turns sharply or not after each delivery, inferring the surface condition indirectly rather than being told outright by the curator.

Real-World Impact

SQL Injection has consistently ranked in the OWASP Top 10 and has been the root cause of some of the largest data breaches in history, including incidents that exposed millions of usernames, password hashes, and payment card records. Beyond data theft, a sufficiently privileged database account can allow attackers to modify or delete records, escalate to operating system command execution via database features like xp_cmdshell in SQL Server, or pivot deeper into internal networks.

🏏

Cricket analogy: It is like a single loose brick in a stadium wall that, once exploited, lets intruders not just peek at the pitch but walk into the dressing room, the trophy vault, and the broadcast control booth.

Never assume input is safe just because it comes from a dropdown, hidden field, or mobile app — attackers routinely bypass client-side controls and send crafted HTTP requests directly to the server using tools like Burp Suite or curl.

  • SQL Injection happens when untrusted input is concatenated into a SQL query instead of being treated as data.
  • Tautology attacks (e.g. ' OR '1'='1) and comment injection (--) can bypass authentication logic entirely.
  • UNION-based injection lets attackers pull data from unrelated tables by matching column counts and types.
  • Blind SQLi infers data through boolean or time-based responses when no direct output is returned.
  • Out-of-band SQLi exfiltrates data via DNS or HTTP requests when in-band and blind channels are unavailable.
  • SQLi remains a top OWASP risk and has caused some of history's largest data breaches.
  • Escalated database privileges can turn SQLi into full server or network compromise.

Practice what you learned

Was this page helpful?

Topics covered

#Security#WebSecurityOWASPStudyNotes#CyberSecurity#SQLInjectionExplained#SQL#Injection#Explained#Attackers#StudyNotes#SkillVeris