SQL Injection

SQL injection mixes attacker-controlled strings into a database query, letting the attacker change the query's meaning.

Definition

SQL injection (SQLi) occurs when an application builds a SQL statement by concatenating untrusted input into the query string. The database engine cannot tell intentional SQL keywords from injected ones, so an attacker can extend or rewrite the query: leak rows, change rows, escalate to other tables, sometimes execute operating-system commands through database extensions.

SQLi is the textbook injection vulnerability. The first widely published academic write-ups date to 1998 and the bug class has been in OWASP's top ten every revision since. It survives because the same convenient string-concatenation pattern shows up in every new ORM, every new language, every new framework — and because authorisation logic frequently lives in the query rather than in the application code, so a bypass cascades.

How it works

Consider the shape `SELECT * FROM users WHERE name = '<input>'` built by concatenation. The intended shape is a single-quoted string literal; injecting `' OR 1=1 --` closes the literal, opens a tautology, and comments out the rest. The query now returns every row.

Modern attacks rarely stop at boolean tautologies. UNION-based extraction reads arbitrary tables; time-based blind SQLi exfiltrates data one bit per `SLEEP()` call; out-of-band SQLi exfiltrates via DNS lookups when the database supports them. Some database engines (xp_cmdshell on legacy SQL Server, `COPY ... FROM PROGRAM` on Postgres) escalate directly to OS command execution.

Impact

Authentication bypass, mass data exfiltration, integrity loss, ransomware staging, and in some configurations remote code execution on the database host. Public dumps from large SQLi breaches routinely hit tens of millions of records.

Mitigation

Use parameterised queries (prepared statements) without exception. Never concatenate user input into a SQL string — not even "trusted" input, not even after escaping. Treat ORM "raw query" escape hatches as security-critical code paths. Apply least-privilege at the database role (the application's role should not be able to `DROP` or use server-side execution primitives), enable query logging, and consider a database firewall for high-value workloads. OWASP's SQL Injection Prevention Cheat Sheet covers per-language patterns.

Examples

  • CVE-2023-34362 (MOVEit Transfer) — SQLi exploited by Clop ransomware against hundreds of organisations.
  • CVE-2022-32511 — Authenticated SQLi in Trend Micro Apex Central.

See also

References