Back to glossary

SQL Injection

A type of vulnerability where an attacker can interfere with the queries that an application makes to its database.

AbbreviationSQLi
Categorysecurity

Overview

SQLi occurs when an application improperly handles user input, allowing an attacker to 'inject' malicious SQL code into a query. This can allow the attacker to view, modify, or delete data they are not authorized to access.

Types of SQLi

  • In-band SQLi: The attacker uses the same communication channel to launch the attack and gather results.
  • Inferential (Blind) SQLi: The attacker observes the application's response to different inputs to infer information about the database.
  • Out-of-band SQLi: The attacker uses a different channel (e.g., DNS or HTTP requests) to retrieve data.

Prevention

  • Prepared Statements (with Parameterized Queries): The most effective defense.
  • Input Validation: Ensuring input matches expected formats.
  • Principle of Least Privilege: Limiting the database permissions of the application.

Related Terms

Application SecurityCross-Site Scripting