In computing,SQL injection is acode injection technique used toattack data-driven applications, in which maliciousSQL statements are inserted into an entry field for execution (e.g. to dump thedatabase contents to the attacker).[1][2] SQL injection must exploit asecurity vulnerability in an application's software, for example, when user input is either incorrectly filtered forstring literalescape characters embedded in SQL statements or user input is notstrongly typed and unexpectedly executed. SQL injection is mostly known as anattack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers tospoof identity, tamper with existingdata, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-orientedNoSQL databases can also be affected by this security vulnerability.[citation needed]
SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. TheOpen Web Application Security Project (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, includingprepared statements,stored procedures, andinput validation, to prevent user input from being misinterpreted as executable SQL code.[3]
Discussions of SQL injection began in the late 1990s, including in a 1998 article inPhrack Magazine.[4] SQL injection was ranked among the top 10 web application vulnerabilities of 2007 and 2010 by theOpen Web Application Security Project (OWASP).[5] In 2013, SQL injection was listed as the most critical web application vulnerability in the OWASP Top 10.[6]
In 2017, theOWASP Top 10 Application Security Risks grouped SQL injection under the broader category of "Injection," ranking it as the third most critical security threat. This category included various types of injection attacks, such as SQL,NoSQL, OS command, andLDAP injection. These vulnerabilities arise when an application processes untrusted data as part of a command or query, potentially allowing attackers to execute unintended actions or gain unauthorized access to data.[7]
By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’sOWASP Top 10 further expanded the definition of injection vulnerabilities to include attacks targetingObject Relational Mapping (ORM) systems,Expression Language (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secureAPIs, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.[8][9]
 | This sectiondoes notcite anysources. Please helpimprove this section byadding citations to reliable sources. Unsourced material may be challenged andremoved. Find sources: "SQL injection" – news ·newspapers ·books ·scholar ·JSTOR(March 2025) (Learn how and when to remove this message) |
SQL Injection is a common security vulnerability that arises from letting attacker supplied data become SQL code. This happens when programmers assemble SQL queries either by string interpolation or by concatenating SQL commands with user supplied data. Therefore, injection relies on the fact that SQL statements consist of both data used by the SQL statement and commands that control how the SQL statement is executed. For example, in the SQL statementselect*frompersonwherename='susan'andage=2 the string 'susan' is data and the fragmentandage=2 is an example of a command (the value2 is also data in this example).
SQL injection occurs when specially crafted user input is processed by the receiving program in a way that allows the input to exit a data context and enter a command context. This allows the attacker to alter the structure of the SQL statement which is executed.
As a simple example, imagine that the data 'susan' in the above statement was provided by user input. The user entered the string 'susan' (without the apostrophes) in a web form text entry field, and the program usedstring concatenation statements to form the above SQL statement from the three fragmentsselect*frompersonwherename=', the user input of 'susan', and'andage=2.
Now imagine that instead of entering 'susan' the attacker entered'or1=1;--.
The program will use the same string concatenation approach with the 3 fragments ofselect*frompersonwherename=', the user input of'or1=1;--, and'andage=2 and construct the statementselect*frompersonwherename=''or1=1;--' and age = 2. Many databases will ignore the text after the '--' string as this denotes a comment. The structure of the SQL command is nowselect*frompersonwherename=''or1=1; and this will select all person rows rather than just those named 'susan' whose age is 2. The attacker has managed to craft a data string which exits the data context and entered a command context.
Although the root cause of all SQL injections is the same, there are different techniques to exploit it. Some of them are discussed below:
Imagine a program creates a SQL statement using the following string assignment command :
varstatement="SELECT * FROM users WHERE name = '"+userName+"'";
This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as:
' OR '1'='1
or using comments to even block the rest of the query (there are three types of SQL comments[10]). All three lines have a space at the end:
' OR '1'='1' --' OR '1'='1' {' OR '1'='1' /*renders one of the following SQL statements by the parent language:
SELECT*FROMusersWHEREname=''OR'1'='1';
SELECT*FROMusersWHEREname=''OR'1'='1'-- ';
If this code were to be used in authentication procedure then this example could be used to force the selection of every data field (*) fromall users rather than from one specific user name as the coder intended, because the evaluation of '1'='1' is always true.
The following value of "userName" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "userinfo" table (in essence revealing the information of every user), using anAPI that allows multiple statements:
a';DROPTABLEusers;SELECT*FROMuserinfoWHERE't'='t
This input renders the final SQL statement as follows and specified:
SELECT*FROMusersWHEREname='a';DROPTABLEusers;SELECT*FROMuserinfoWHERE't'='t';
While most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such asPHP'smysql_query() function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn't stop them from modifying queries.
Blind SQL injection is used when a web application is vulnerable to a SQL injection, but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page.This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction.[11] There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.[12]
One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen. As an example, a book review website uses aquery string to determine which book review to display. So theURLhttps://books.example.com/review?id=5 would cause the server to run the query
SELECT*FROMbookreviewsWHEREID='5';
from which it would populate the review page with data from the review withID 5, stored in thetable bookreviews. The query happens completely on the server; the user does not know the names of the database, table, or fields, nor does the user know the query string. The user only sees that the above URL returns a book review. Ahacker can load the URLshttps://books.example.com/review?id=5' OR '1'='1https://books.example.com/review?id=5' AND '1'='2
SELECT*FROMbookreviewsWHEREID='5'OR'1'='1';SELECT*FROMbookreviewsWHEREID='5'AND'1'='2';
respectively. If the original review loads with the "1=1" URL and a blank or error page is returned from the "1=2" URL, and the returned page has not been created to alert the user the input is invalid, or in other words, has been caught by an input test script, the site is likely vulnerable to an SQL injection attack as the query will likely have passed through successfully in both cases. The hacker may proceed with this query string designed to reveal the version number ofMySQL running on the server:https://books.example.com/review?id=5ANDsubstring(@@version,1,INSTR(@@version,'.')-1)=4
Second-order SQL injection occurs when an application only guards its SQL against immediate user input, but has a less strict policy when dealing with data already stored in the system. Therefore, although such application would manage to safely process the user input and store it without issue, it would store the malicious SQL statement as well. Then, when another part of that application would use that data in a query that isn't protected from SQL injection, this malicious statement might get executed.[citation needed] This attack requires more knowledge of how submitted values are later used. Automated web application security scanners would not easily detect this type of SQL injection and may need to be manually instructed where to check for evidence that it is being attempted.
In order to protect from this kind of attack, all SQL processing must be uniformly secure, despite the data source.
An SQL injection is a well known attack and easily prevented by simple measures. After an apparent SQL injectionattack on TalkTalk in 2015, theBBC reported that security experts were stunned that such a large company would be vulnerable to it.[15] Techniques like pattern matching, software testing, and grammar analysis are some common ways to mitigate these attacks.[2]
Prevention measures listed further below can be summarized into a simple two-part checklist:
A simple example in PHP demonstrating usage of both rules:
$mysqli=newmysqli('hostname','db_username','db_password','db_name');$sort_column=$_GET['sort_column']??'name';// checking the column name against a whitelist:if(!in_array($sort_column,['name','birthday'],true)){thrownewInvalidArgumentException("Invalid sort column");}// using a parameter to represent the data value:$query="SELECT * FROM `users` WHERE `birthday` > ? ORDER BY `$sort_column`",// preparing SQL, binding the birthday value and executing the query:$result=$mysqli->execute_query($query,[$_GET['birthday']]);
This way, no malicious data will be able to make it into SQL.
One of the traditional ways to prevent injections is to addevery piece of data as a quoted string andescape all characters, that have special meaning in SQL strings, in that data.[16] The manual for an SQL DBMS explains which characters have a special meaning, which allows creating a comprehensiveblacklist of characters that need translation. For instance, every occurrence of a single quote (') in a string parameter must be prepended with a backslash (\) so that the database understands the single quote is part of a given string, rather than its terminator.PHP'sMySQLi module provides themysqli_real_escape_string() function to escape strings according toMySQL semantics; in the following example the username is a string parameter, and therefore it can be protected by means of string escaping:
$mysqli=newmysqli('hostname','db_username','db_password','db_name');$query=sprintf("SELECT * FROM `Users` WHERE UserName='%s'",$mysqli->real_escape_string($username),$mysqli->query($query);
Depending solely on the programmer to diligently escape all string parameters presents inherent risks, given the potential for oversights in the process. To mitigate this vulnerability, programmers may opt to develop their ownabstraction layers to automate the escaping of parameters.[17]
Besides, not every piece of data can be added to SQL as a string literal (MySQL's LIMIT clause arguments[18] or table/column names[19] for example) and in this case escaping string-related special characters will do no good whatsoever,leaving resulting SQL open to injections.
Object–relational mapping (ORM) frameworks such asHibernate andActiveRecord provide an object-oriented interface for queries over a relational database. Most, if not all, ORMs, automatically handle the escaping needed to prevent SQL injection attacks, as a part of the framework's query API. However, many ORMs provide the ability to bypass their mapping facilities and emit raw SQL statements; improper use of this functionality can introduce the possibility for an injection attack.[20]
Most development platforms support parameterized statements, also known as placeholders orbind variables, to securely handle user input instead of embedding it in SQL queries. These placeholders store only values of a defined type, preventing input from altering the query structure. As a result, SQL injection attempts are processed as unexpected input rather than executable code. With parametrized queries, SQL code remains separate from user input, and each parameter is passed as a distinct value, preventing it from being interpreted as part of the SQL statement.[3]
According toOWASP, theprinciple of least privilege helps mitigate SQL injection risks by ensuring database accounts have only the minimum permissions necessary. Read-only accounts should not have modification privileges, and application accounts should never have administrative access. Separating database users for different functions, such as authentication and data modification, further limits potential damage from SQL injection attacks.[3]
Limiting the permissions on the database login used by the web application to only what is needed may help reduce the effectiveness of any SQL injection attacks that exploit any bugs in the web application.
For example, onMicrosoft SQL Server, a database logon could be restricted from selecting on some of the system tables which would limit exploits that try to insert JavaScript into all the text columns in the database.[citation needed]
denyselectonsys.sysobjectstowebdatabaselogon;denyselectonsys.objectstowebdatabaselogon;denyselectonsys.tablestowebdatabaselogon;denyselectonsys.viewstowebdatabaselogon;denyselectonsys.packagestowebdatabaselogon;
Allow-list input validation ensures that only explicitly defined inputs are accepted, reducing the risk of injection attacks. Unlikedeny-lists, which attempt to block known malicious patterns but can be bypassed, allow-lists specify valid input and reject everything else. This approach is particularly effective forstructured data, such as dates and email addresses, where strict validation rules can be applied. While input validation alone does not prevent SQL injection and other attacks, it can act as an additional safeguard by identifying and filtering unauthorized input before it reaches an SQL query.[3][21]
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
{{cite web}}: CS1 maint: numeric names: authors list (link)