SQL Injection is one of the most prevalent web vulnerabilities. It involves passing crafted SQL commands through unsanitised input fields to interact directly with the backend database — potentially exposing, modifying, or deleting all data. Once exploited, it is equivalent to handing the attacker direct database access.
The Classic Bypass: ‘ or 1=1–
-- Normal authentication query:SELECT * FROM users WHERE username='John' AND password='secret'-- After injection of: ' or 1=1--SELECT * FROM users WHERE username='John' AND password='' or 1=1--'-- WHERE clause always TRUE → login bypassed
UNION Injection
SELECT header, txt FROM newsUNION ALL SELECT name, pass FROM members-- Exposes all member credentials
Four Categories of SQL Injection
| Category | Mechanism |
|---|---|
| SQL Manipulation | Modify WHERE clauses or use UNION to change query results |
| Code Injection | Append EXECUTE commands to run arbitrary stored procedures |
| Function Call Injection | Inject calls to database functions (mainly Oracle PL/SQL) |
| Buffer Overflows | Exploit extended stored procedures to overflow memory |
Prevention Guidance
- Use parameterised queries / prepared statements in all database interactions — this is the primary defence.
- Filter all input: strip single quotes, double quotes, slashes, backslashes, semicolons, NULL, and carriage returns.
- Convert numeric values to integers before using in SQL; validate with ISNUMERIC.
- Run the database server with a low-privilege account.
- Delete unused stored procedures (xp_startmail, xp_sendmail, sp_makewebtask).
- Never return detailed database error messages to users.
CISSP Made Easy 