Chapter 31 Β· Helper 2

Concepts Map

How SQL injection works, what attackers can do, and how to stop it.

How SQL Injection Happens: The Anatomy

SQL injection occurs when three conditions are true simultaneously:

1
The application uses a database β€” it sends SQL queries to retrieve or modify data based on user input.
2
User input is not validated or escaped β€” the application passes whatever the user types directly into the SQL query string without checking or sanitizing it.
3
The database executes attacker-controlled SQL β€” because the input was embedded in the query, the attacker's SQL syntax becomes part of the command the database engine runs.

Remove any one of these conditions and the attack fails. The most reliable way to remove condition 2 is parameterized queries.

The Query Transformation β€” Before and After Injection

Normal usage: User enters Professor

SELECT * FROM users WHERE name = 'Professor'

Result: returns the one matching record. Expected and safe.

After injection: User enters Professor' OR '1'='1

SELECT * FROM users WHERE name = 'Professor' OR '1'='1'

Result: the OR clause makes the condition always true β€” the database returns every row in the users table. The attacker has disclosed the entire dataset without any special credentials or tools.

Authentication bypass: User enters ' OR '1'='1'-- in the username field

SELECT * FROM users WHERE username = '' OR '1'='1'-- ' AND password = '...'

Result: the double-dash comments out the password check entirely. The query returns the first user in the table β€” often an administrator β€” without any password being verified.

What Attackers Can Do: Four Outcomes
OutcomeWhat the Attacker DoesExample SQL
ViewRead data from any table' OR '1'='1 / UNION SELECT
ModifyChange records, prices, access levels'; UPDATE users SET admin=1--
DeleteDestroy tables or entire databases'; DROP TABLE customers--
DenyCrash the database, deny accessHeavy queries, SHUTDOWN commands

The actual impact depends on what SQL commands succeed β€” which depends on the permissions of the database account the application uses.

Common SQL Injection Entry Points

Every field that communicates with the database is a potential injection point. Attackers test them all systematically.

The Defense Stack β€” Five Layers
LayerControlHow It Prevents SQLi
1 β€” PrimaryParameterized queriesSeparates SQL structure from user data β€” user input cannot become SQL code
2 β€” InputInput validation & sanitizationRejects characters with SQL significance β€” apostrophes, semicolons, comment markers
3 β€” DB DesignStored proceduresLimits available SQL operations to pre-defined routines the application calls by name
4 β€” PermissionsPrinciple of least privilegeLimits injection impact β€” a SELECT-only account cannot run DROP TABLE even if injected
5 β€” NetworkWeb application firewall (WAF)Detects and blocks known injection patterns at the network boundary before reaching the app
Vulnerable vs. Safe Code β€” Side by Side

❌ VULNERABLE β€” String Concatenation

query = "SELECT * FROM users
  WHERE name = '"
  + userInput + "'"

db.execute(query)

User input is pasted directly into the SQL string. Any SQL the user types becomes part of the command.

βœ… SAFE β€” Parameterized Query

query = "SELECT * FROM users
  WHERE name = ?"

db.execute(query, [userInput])

The SQL structure is fixed. userInput is bound as data. The database engine cannot interpret it as SQL code.