What Is SQL Injection?
SQL Injection (SQLi) occurs when an application builds a database query by directly concatenating untrusted user input into a SQL string instead of treating that input as pure data. Because the database cannot tell the difference between the developer's intended SQL and the attacker's injected fragment, a crafted string like ' OR '1'='1 can change the logic of a query, bypass authentication, or expose data the application never meant to reveal.
Cricket analogy: It is like a scorer who copies whatever a spectator shouts into the official scorebook without checking it first; if someone yells 'erase all of Kohli's dismissals', the scorebook literally changes because the scorer never validated the input.
How Attackers Exploit It
A classic exploitation pattern is the tautology attack: an attacker submits a login username of admin' -- so the trailing SQL comment (--) strips out the password check entirely, or submits ' OR '1'='1 in a search field so the WHERE clause always evaluates true and returns every row in the table. More advanced attackers use UNION-based injection to append a second SELECT statement that pulls data from unrelated tables, such as a users table containing password hashes, by matching the column count and types of the original query.
Cricket analogy: It is like a fielder appealing 'howzat, and also give me the opposition captain's wicket too' — the umpire, following a flawed process, upholds both because the appeal format was never restricted to one valid claim.
// VULNERABLE: user input concatenated directly into the SQL string
const username = req.body.username; // attacker sends: admin' --
const password = req.body.password;
const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
db.query(query, (err, rows) => {
if (rows.length > 0) {
// attacker is now authenticated as admin without knowing the password
res.send('Login successful');
}
});Types of SQL Injection
In-Band, Blind, and Out-of-Band
In-band SQLi (error-based or UNION-based) returns results directly in the application's HTTP response, making it fast to exploit. Blind SQLi gives no direct output, forcing attackers to infer data one bit at a time using boolean conditions (does the page behave differently when a guessed character is correct?) or time delays (does the response take five extra seconds because a crafted SLEEP(5) executed?). Out-of-band SQLi is used when neither channel is available, relying on the database server itself to make a DNS or HTTP request back to an attacker-controlled server to exfiltrate data.
Cricket analogy: Blind SQLi is like guessing a pitch report by watching whether the ball turns sharply or not after each delivery, inferring the surface condition indirectly rather than being told outright by the curator.
Real-World Impact
SQL Injection has consistently ranked in the OWASP Top 10 and has been the root cause of some of the largest data breaches in history, including incidents that exposed millions of usernames, password hashes, and payment card records. Beyond data theft, a sufficiently privileged database account can allow attackers to modify or delete records, escalate to operating system command execution via database features like xp_cmdshell in SQL Server, or pivot deeper into internal networks.
Cricket analogy: It is like a single loose brick in a stadium wall that, once exploited, lets intruders not just peek at the pitch but walk into the dressing room, the trophy vault, and the broadcast control booth.
Never assume input is safe just because it comes from a dropdown, hidden field, or mobile app — attackers routinely bypass client-side controls and send crafted HTTP requests directly to the server using tools like Burp Suite or curl.
- SQL Injection happens when untrusted input is concatenated into a SQL query instead of being treated as data.
- Tautology attacks (e.g.
' OR '1'='1) and comment injection (--) can bypass authentication logic entirely. - UNION-based injection lets attackers pull data from unrelated tables by matching column counts and types.
- Blind SQLi infers data through boolean or time-based responses when no direct output is returned.
- Out-of-band SQLi exfiltrates data via DNS or HTTP requests when in-band and blind channels are unavailable.
- SQLi remains a top OWASP risk and has caused some of history's largest data breaches.
- Escalated database privileges can turn SQLi into full server or network compromise.
Practice what you learned
1. What is the fundamental cause of SQL Injection vulnerabilities?
2. Which technique would an attacker use when a query's response is identical regardless of true/false conditions, giving no visible output difference?
3. What does a UNION-based SQL injection attack primarily require to succeed?
4. Why is out-of-band SQL injection used?
5. Why did SQL Injection remain in the OWASP Top 10 for so long?
Was this page helpful?
You May Also Like
Preventing SQL Injection
A practical guide to the defenses that actually stop SQL Injection: parameterized queries, safe ORM usage, input validation, least privilege, and WAFs.
Command Injection
Understand how command injection lets attackers execute arbitrary operating system commands through vulnerable application inputs, and why it's often more dangerous than SQL Injection.
Cross-Site Scripting (XSS) Explained
Understand how attackers inject malicious scripts into web pages viewed by other users, and the three major categories of XSS: stored, reflected, and DOM-based.