What is SQL Injection?

How SQL Injection Works

SQL injection exploits the way web applications construct database queries. A typical web application accepts user input — a search term, a username, a product ID — and incorporates that input into a SQL query that retrieves information from the database. A vulnerable application constructs the query by directly concatenating user input into the query string without proper validation or parameterization.

The classic SQL injection example: a login form that accepts username and password. The application constructs a query: SELECT * FROM users WHERE username = '[input]' AND password = '[input]'. An attacker enters the username: admin' OR '1'='1. The resulting query becomes: SELECT * FROM users WHERE username = 'admin' OR '1'='1' AND password = ''. The condition '1'='1' is always true, causing the query to return the first user in the database — typically the administrator. Authentication is bypassed without knowing the actual password.

Types of SQL Injection

In-band SQL injection returns the injected query result in the application's response — the attacker can see the database output directly. This is the simplest form and enables rapid data extraction. Blind SQL injection is used when the application does not return query results in its response but exhibits different behavior based on whether a query is true or false. The attacker infers database structure and content by asking yes/no questions through carefully crafted queries. Time-based blind injection uses database timing functions — causing the database to pause for a defined period if a condition is true — as the mechanism for inferring database content when no other signal is available.

The Impact of SQL Injection Attacks

SQL injection is classified as the most dangerous web application security risk in the OWASP Top 10. Its impact ranges from data exposure to complete system compromise depending on the database configuration, the database user's privileges, and the specific injection technique used.

Data extraction is the most common objective: an attacker with SQL injection access can systematically extract the entire database — all user records, all credentials, all stored personal and financial data. The 2008 Heartland Payment Systems breach, which exposed 130 million credit card numbers, was initiated through SQL injection. The 2016 Yahoo breach that exposed 3 billion accounts involved SQL injection as a component of the attack chain.

Authentication bypass — logging into applications without valid credentials — enables account takeover at scale. If an application authenticates by querying the database for matching credentials, SQL injection can make any authentication query return a positive result. Data modification — changing records in the database — enables fraud, fraud concealment, and data manipulation. In some database configurations, SQL injection enables operating system command execution through database-level command interfaces, providing a path from database compromise to server compromise.

Defending Against SQL Injection

SQL injection is a fully preventable vulnerability. Parameterized queries — also called prepared statements — are the definitive defense. Rather than constructing query strings by concatenating user input, parameterized queries separate the query structure from the data: the query is defined first, and user input is passed as a typed parameter that the database engine treats as data rather than query syntax. An attacker who attempts to inject SQL through a parameterized query finds that their injection string is treated as a literal value rather than executable syntax.

Input validation as a defense is less robust than parameterization — attempts to filter or escape dangerous characters can be bypassed through encoding and alternative representations. Web application firewalls provide an additional detection and blocking layer for known SQL injection patterns but should not be relied upon as a substitute for parameterized queries in application code.

Real-World Example: Heartland Payment Systems — 130M Cards via SQL Injection

The 2008 Heartland Payment Systems breach is the largest payment card breach in history. Attackers initially compromised Heartland through SQL injection against the company's web application, gaining a foothold in the internal network. They then installed packet-sniffing malware on payment processing servers that captured unencrypted card data in transit. Over months of undetected operation, 130 million credit and debit card numbers were exfiltrated. The initial access vector — SQL injection — was a known vulnerability class with established prevention techniques that had been documented for over a decade. The breach cost Heartland $140 million in settlements.