Retour au centre d’apprentissage

What is SQL injection?

SQL Injection is the technique of inserting complete or partial SQL commands in user-supplied data fields of web applications and submitting them for execution by the database server. 

Put more simply, SQL injection is when a bad actor is able to inject malicious code into an application due to poorly written code in the application.

How does an SQL Injection attack work?

Businesses use fields such as contact forms, feedback forms, checkout forms, and search bars to interact with website users. These fields let users legitimately submit information to the business’s database and retrieve information from it. This “open line” between user and database is prone to SQL injection.

If the field is coded incorrectly, an attacker can use it to insert malicious SQL commands. The injected code can trick the database to run the attacker’s commands that are capable of extracting private information and modifying or ruining database tables. Dynamic content, as well as fields, are susceptible to SQL injection.

What steps does an attacker take in an SQL Injection attack?

  1. Attacker enters manipulated SQL command in form field

  2. An insecure database considers this query valid

  3. Attacker gets response from database containing sensitive information

  4. Attacker gets information (like table name) to understand structure of database

  5. Attacker modifies data in database in a malicious way

Types of SQL Injections

There are three categories of SQL injections:

Inferential (blind) SQLI Injection

In a blind SQL attack, the attacker sends data into the server and observes its behavior in response. The attacker can gather information based on the database’s responses to the attackers requests/ prompts, and surmise critical information about the database. With enough observation, the attacker is able to form a picture of the database and how it’s constructed,  helping inform the attacker on how to best exploit it. This style of injection is ‘bind’ because the attacker is not able to actually see inside of the database. 

In-band SQL Injection

Also known as a classic SQL Injection, in an in-band SQL injection attack, the attacker gets their result in the same ‘channel’ as the one they launched their attack in. For example, let’s say an attacker performs an SQL injection on a web browser; the attacker will receive the results of that attack in the same location (the web browser). 

Out-of-band SQL Injection

In an out-of-band SQL injection attack, the attacker does not get their result (response) from the attacked application on the same ‘channel’ as their attack. The attack instead forces the application to send data to a remote endpoint. This endpoint is controlled by the attacker, thereby allowing them access to the application’s response. 

Example of SQL injection

When a user submits credentials on a login page, the web application uses them in a SQL query that is sent to the database for execution. If the submitted username and password are valid, the user gains access. Assuming the username is ‘user1’ and the password is ‘pass123’, the web application sends the following SQL query to the database for verification:

SELECT * FROM Users WHERE name = 'user1' AND password = 'pass123'

Instead of using a valid username, an attacker submits “test’ OR “1 = 1–” as the username and anything for the password. This arbitrary SQL query will return a true value. The arbitrary query looks like this:

SELECT * FROM Users WHERE name = 'test' OR 1 = 1 --' AND password = 'xxxxx'

After entering the query, the hacker gains access to a logged-in session without a password. The hacker then steals data or manipulates website databases. 

How to Prevent SQL attacks

An attacker gaining administrative access to a database is an extreme security breach that SQL injection makes possible. Through this type of attack, a hacker can change or delete parts of the entire database. The attacker can also launch attacks from a compromised server and access confidential information stored in the database. Preventing this major security threat is possible by properly coding fields and updating server software with the latest patches.

Tools like Fastly’s Next-Gen WAF, with its proprietary detection engine, SmartParse, make instantaneous decisions in line to determine if there are malicious or anomalous payloads present. SmartParse removes the need for regex and manually-intensive tuning. 

You can learn more about preventing SQL injection attacks and other OWASP Top 10 attacks with Fastly here

Learn More About Fastly Security Capabilities

En savoir plus


Fastly
© Fastly 2025