What is SQL Injection?
SQL Injection is a code injection technique where malicious SQL statements are inserted into application queries. It's one of the oldest and most dangerous web vulnerabilities - still in OWASP Top 10.
sqli-example
// Vulnerable query
SELECT * FROM users WHERE name = 'admin' OR '1'='1'
// Returns ALL users!
What Attackers Can Do
- Bypass authentication - Login without password
- Extract data - Dump entire databases
- Modify data - Change prices, permissions
- Delete data - DROP TABLE attacks
- Execute commands - System takeover
Prevention (For Developers)
Use Prepared Statements
ALWAYS use parameterized queries. Never concatenate user input into SQL strings.
- Use ORM (Object-Relational Mapping)
- Input validation and sanitization
- Principle of least privilege for DB users
- Web Application Firewall (WAF)
- Regular security testing
For Regular Users
You can't directly protect against SQLi on sites you visit, but:
- Use unique passwords per site
- Monitor for data breach notifications
- Be cautious with unknown websites