SQL Injection Explained with Examples

SQL Injection, often abbreviated as SQLi, is one of the most dangerous and common web vulnerabilities found in web applications. Despite being around for decades, it continues to pose a threat to websites and users alike. In this post, we’ll break down what SQL Injection is, how it works, and walk through real examples to help you understand it better.

Prefer watching instead of reading? Here’s a quick video guide

What is SQL Injection?

SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This usually happens when user inputs are not properly validated or sanitized.

Imagine you’re signing into a website. You enter your username and password, and behind the scenes, the website runs a query to check if your credentials are correct. If that query can be manipulated by inputting malicious SQL code, that’s an SQL Injection vulnerability.

Why Does It Happen?

Most web applications use a database to store data such as user credentials, posts, comments, etc. To fetch or manipulate this data, they use SQL (Structured Query Language).

Here’s a typical login SQL query:

SELECT * FROM users WHERE username = 'john' AND password = '123456';

Now imagine what happens if the input fields are not properly filtered and someone enters the following in the username field:

' OR '1'='1

Then the query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';

This will always return true because '1'='1' is always true. Boom! The attacker is now logged in without knowing the actual password.

Types of SQL Injection

There are several types of SQL Injection attacks. Let’s explore the most common ones:

1. Classic (In-band) SQL Injection

This is the simplest form, where the attacker directly manipulates the input fields to get a response from the database.

Example:

Input:

' OR 1=1 --

The query becomes:

SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = '';

Here, – is a SQL comment that ignores the rest of the query, bypassing the password check.

2. Blind SQL Injection

Sometimes the application doesn’t show error messages, so attackers don’t get direct feedback. In Blind SQLi, attackers ask the database a series of true or false questions and observe the application’s behavior.

Example:

' AND 1=1 --

If the page loads normally, it means the condition is true. If it breaks, the condition might be false. This helps attackers extract information bit by bit.

3. Time-Based Blind SQLi

If there’s no visible change in the app’s behavior, attackers may use time delays to guess the outcome.

Example:

' OR IF(1=1, SLEEP(5), 0) --

If the page takes 5 seconds to load, they know the condition was true.

4. Out-of-Band SQLi

This is a rare type that occurs when the attacker can’t use the same channel to both launch the attack and gather results. Instead, it uses functions like xp_dirtree, UTL_HTTP, or DNS queries to get data to another server.

Real-World Example: Login Bypass

Let’s say there’s a login form with two fields: username and password.

The backend SQL query might look like:

SELECT * FROM users WHERE username = '$username' AND password = '$password';

If a user inputs the following:

• Username: ' OR '1'='1
• Password: --

The query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1' --' AND password = '';

The -- comments out the rest, and the query returns all rows, allowing unauthorized login.

What Can an Attacker Do?

If SQL Injection is successful, an attacker can:

• Bypass authentication and log in as other users (even as admin).
• Read sensitive data like emails, passwords, or payment information.
• Modify or delete data in the database.
• Execute system-level commands (in severe cases).
• Gain full control over the web server (if chained with other attacks).

How to Prevent SQL Injection

Now that you know how dangerous SQL Injection can be, let’s talk about defense.

1. Use Prepared Statements (Parameterized Queries)

This is the most effective way to prevent SQLi.

Bad code:

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

Secure code:

$stmt = $conn->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();

2. Use ORM Libraries

Object-Relational Mapping tools like SQLAlchemy, Hibernate, or Django ORM automatically use parameterized queries.

3. Input Validation & Escaping

Always validate and sanitize user inputs. Only allow expected formats like email, username, etc.

4. Least Privilege Principle

Make sure the database account used by the app has only the permissions it needs. Don’t use an admin account for everything.

5. Error Handling

Don’t show raw SQL errors to users. Use custom error pages to avoid giving clues to attackers.

Testing for SQL Injection

If you’re a security professional or a student learning pentesting, here are tools you can use to test for SQLi:

• SQLMap – An automated tool to detect and exploit SQLi.
• Burp Suite – Great for manual testing and fuzzing.
• DVWA (Damn Vulnerable Web App) – A safe environment to practice.
• OWASP Juice Shop – Another intentionally vulnerable app.

Disclaimer: Only test SQL Injection on systems you own or have explicit permission to test.

Conclusion

SQL Injection is one of the oldest yet still dangerous web vulnerabilities. By understanding how it works, you can better secure your applications and also test for vulnerabilities as a penetration tester or bug bounty hunter.

Key Takeaways:

• Always validate and sanitize user inputs.
• Use prepared statements to interact with the database.
• Never expose database errors to users.
• Regularly test your applications for SQL Injection vulnerabilities.