SQL Injection in Simple Terms

By John King, CISSP, PMP, CISM •  Updated: 01/01/23 •  4 min read

SQL injection is a cyber attack in which an attacker inserts malicious code into a database through a website or application. The attacker does this by inserting specially crafted SQL statements into fields that are designed to accept user input, such as login forms or search boxes. When the website or application processes these statements, it inadvertently executes the malicious code, which can then be used to access, modify, or delete data from the database.

SQL injection attacks are possible because many websites and applications do not properly validate or sanitize user input before using it in an SQL statement. This can allow an attacker to enter code that is treated as a legitimate part of the SQL statement, allowing them to gain access to sensitive data or manipulate the database in other ways.

There are several ways that an attacker can use SQL injection in order to gain unauthorized access to a database. One common technique is to enter code that causes the database to reveal sensitive information, such as passwords or user names. For example, an attacker might enter a username of “admin’ OR ‘1’=’1” into a login form. This would cause the database to return all rows in the user table, since the OR operator in the WHERE clause of the SELECT statement would always be true. The attacker could then use this information to log in as an administrator or perform other actions on the site.

Another way attackers can use SQL injection is to modify data in the database. This can be done by entering code that causes the database to execute an UPDATE statement that changes the values of certain fields. For example, an attacker might enter a username of “admin’; UPDATE users SET password=’hacked’ WHERE username=’admin” into a login form. This would cause the database to update the password for the admin user to “hacked”, allowing the attacker to log in as an administrator.

SQL injection attacks can also be used to delete data from a database. This can be done by entering code that causes the database to execute a DELETE statement. For example, an attacker might enter a username of “admin’; DELETE FROM users WHERE username=’admin” into a login form. This would cause the database to delete the admin user, which could be used to disable access to the site or cause other problems.

There are several ways to prevent SQL injection attacks. One of the most effective way is to use parameterized queries, which allow developers to specify the parameters of an SQL statement separately from the actual statement itself. This prevents attackers from injecting any malicious code into the statement, as the code is treated as a separate parameter rather than a part of the statement.

Other measures that can be taken for the prevention of SQL injection attacks include:

SQL injection attacks can be devastating for organizations that are targeted, as they can result in the loss of sensitive data or the compromise of critical systems. By taking the steps outlined above, however, organizations can significantly reduce the risk of these types of attacks.

John King, CISSP, PMP, CISM

John King currently works in the greater Los Angeles area as a ISSO (Information Systems Security Officer). John has a passion for learning and developing his cyber security skills through education, hands on work, and studying for IT certifications.