What is SQL injection?

SQL injection is when attackers trick a website into running bad commands on its database by hiding them in normal user inputs like login forms. This can let them steal or mess with private data.

7 min read min de lecture

~$ man injection-sql

What is SQL injection?

Security gneurone encyclopedia
SQL injection is when attackers trick a website into running bad commands on its database by hiding them in normal user inputs like login forms. This can let them steal or mess with private data.

definition

SQL injection is a code injection technique that exploits vulnerabilities in an application's database layer by inserting malicious SQL statements into input fields.

It typically occurs when user-supplied data is not properly validated or sanitized before being used in SQL queries, allowing attackers to alter the intended query logic.

Common impacts include unauthorized data access, data modification, or even complete database takeover.

Think of it like giving a waiter your order but secretly adding extra instructions on the note that make the kitchen hand over the cash register keys instead of just your meal.

key takeaways

  • SQL injection targets unsanitized user inputs passed directly to databases.
  • Attackers can bypass authentication or extract sensitive records through crafted queries.
  • Prepared statements and parameterized queries block injection attempts effectively.
  • Input validation combined with least-privilege database accounts reduces exposure.
  • Automated scanning tools and regular code reviews catch most SQL injection flaws early.

the 2026 job market

Demand stays high for security engineers and application security specialists who can audit and fix database code as organizations migrate more services online, with roles focused on secure development practices and compliance testing growing through 2026.

Security Engineer · $115000-$155000 USD / $105000-$145000 CAD / £68000-£92000 GBPPenetration Tester · $100000-$140000 USD / $95000-$135000 CAD / £60000-£85000 GBPApplication Security Analyst · $95000-$130000 USD / $90000-$125000 CAD / £55000-£78000 GBP

frequently asked questions

How does SQL injection work in practice?

An attacker enters special characters or SQL keywords into a form field. The application concatenates this input into a query without checks, changing the query to perform unintended actions like dumping all user records.

What are real-world examples of SQL injection attacks?

Classic cases include login bypass by entering ' OR '1'='1 and data exfiltration using UNION SELECT statements. Many breaches in older web apps trace back to these patterns before prepared statements became standard.

How can developers prevent SQL injection effectively?

Use prepared statements or ORM frameworks that separate code from data. Add strict input validation, escape special characters, and enforce database permissions that limit query impact.

Does SQL injection affect NoSQL databases too?

Traditional SQL injection targets relational databases, but similar injection risks exist in NoSQL systems when queries are built from unsanitized strings. Prevention follows the same principle of separating commands from user data.

courses to go further

Web Application Security
45 lessonsWeb Application SecurityEnroll →
$ cat ./full-guide.mdWeb Application Security : les 9 étapes clés pour passer de zéro à opérationnelread the guide →

related terms

an XSS vulnerabilityOWASPcybersecurityethical hackinga pentest
< back to the encyclopedia

Auteur(s)

R

REHOUMA Haythem

Haythem Rehouma est un ingénieur et architecte IA et cloud, formateur et enseignant technique, avec un profil orienté IA médicale, AWS, MLOps, LLM/RAG et vision par ordinateur.