What is SQL injection?
SQL injection, often called SQLi, happens when user input is inserted into a database query without proper safeguards. That can let an attacker interfere with the query and make the database do something the developer did not intend.
SQL injection is a web application vulnerability that happens when an app sends unsafe user input to a database as part of a SQL query. If the query is built incorrectly, an attacker may be able to change its meaning and read, modify, delete, or manipulate data. In some cases, SQL injection can also help bypass login checks or expose sensitive records.
The core problem is simple: the application treats untrusted input as part of a database command instead of as ordinary data.
How SQL injection works
SQL injection usually appears when an application takes input from a user and directly combines it into a SQL statement.
Typical input sources include:
- Login forms
- Search boxes
- URL parameters
- Product filters
- API requests
- Admin tools
- Reporting interfaces
If the app builds the query by concatenating raw input into the SQL string, the database may interpret that input as command logic rather than plain data.
The core issue
The problem is not SQL itself. The problem is unsafe query construction.
A vulnerable pattern looks like this conceptually:
- The app accepts user input
- The app inserts that input directly into a SQL query
- The database receives the finished query
- The input changes the logic of the command
When that happens, the attacker may be able to affect what data the query returns or what actions the database performs.
What attackers try to do with SQL injection
The impact depends on the application and the permissions of the database account behind it.
Common attacker goals include:
- Bypassing authentication
- Reading sensitive data
- Changing records
- Deleting information
- Learning the database structure
- Expanding access through an overly privileged database account
In real incidents, SQL injection can expose:
- Customer data
- Employee records
- Password hashes
- Session information
- Billing details
- Internal business data
Why SQL injection is dangerous
SQL injection remains important because databases often hold some of the most valuable information in an environment.
A successful attack can affect:
Confidentiality
Attackers may read data they were never supposed to access.
Integrity
Attackers may alter records, balances, permissions, or application data.
Availability
Attackers may delete data, corrupt tables, or trigger expensive queries that disrupt service.
That makes SQL injection more than just a bug. It can become a serious business risk.
Common places SQL injection appears
SQL injection is often associated with old websites, but it can still appear in many environments.
Common targets include:
- Public-facing web apps
- Legacy internal tools
- Customer portals
- E-commerce sites
- Mobile app back ends
- Custom business applications
- APIs that query relational databases
Internal applications deserve just as much attention. They often have direct access to valuable databases and may receive less security testing than internet-facing products.
What causes SQL injection
The root causes are usually well understood.
Unsafe string concatenation
This is the classic cause. Developers build SQL queries by joining application code and user input into one string.
Missing parameterized queries
Without parameterization, the database cannot cleanly distinguish code from data.
Overtrust in input filtering
Basic input filtering may catch obvious cases, but it is not a reliable primary defense.
Excessive database permissions
Even if an injection flaw exists, the damage is worse when the app connects using a highly privileged database account.
Weak secure development practices
Poor code review, legacy patterns, and missing application security testing all increase risk.
How to prevent SQL injection
The most effective prevention method is straightforward.
Use parameterized queries
Parameterized queries or prepared statements separate SQL code from user input. The database treats the supplied input as data, not executable query logic.
This is the main fix and should be the default approach in modern development.
Additional controls that help
Use least privilege for database accounts
Application accounts should have only the permissions they truly need. If the app only needs to read certain tables, it should not also be able to alter schema or delete broad data sets.
Validate input sensibly
Allowlist validation can reduce bad input and improve overall reliability, but it should support parameterization rather than replace it.
Review dynamic query behavior carefully
Some applications must build dynamic queries. When that happens, the design needs extra care to avoid turning user-controlled values into executable SQL logic.
Test the application
Useful practices include:
- Secure code review
- Automated application security testing
- Manual web app assessment
- Regression testing after code changes
If you need background on broader app risk categories, see What is the OWASP Top 10? and What is cross-site scripting (XSS)?.
Use a WAF as a backup layer
A web application firewall can sometimes block known SQLi patterns, but it is not the primary fix. If the application logic is unsafe, a WAF alone is not enough.
Parameterized queries vs input sanitization
A common question is whether escaping or sanitizing input is enough.
Usually, the safer answer is no.
Input escaping can be context-sensitive and easier to get wrong. Parameterized queries are stronger because they change how the database handles user input in the first place.
Think of it this way:
- Escaping tries to clean dangerous input
- Parameterization prevents the input from being treated as code
That is why parameterized queries are the preferred default defense.
Common misconceptions
“SQL injection only affects old websites.”
False. It is more common in older or poorly maintained systems, but modern apps can still be vulnerable if they build queries unsafely.
“A firewall stops SQL injection.”
Not really. Traditional firewalls do not fix application logic. A WAF may reduce some attack traffic, but the real solution is secure code and safe database access patterns.
“If a form works normally, it is not vulnerable.”
Normal functionality says nothing about whether the back-end query handling is safe.
“Escaping input is the same as parameterization.”
Not reliably. Escaping can fail in edge cases or different contexts. Parameterized queries are generally the more dependable control.
“SQL injection only lets attackers steal data.”
No. Depending on the app and permissions, it can also enable login bypass, data modification, deletion, and broader compromise.
Why SQL injection still matters
SQL injection is still relevant because many organizations continue to rely on:
- Legacy applications
- Custom internal tools
- Fast-moving development without enough security review
- Misconfigured database permissions
The vulnerability is old, but the underlying mistake still appears in real software.
Bottom line
SQL injection happens when an application lets user input change the meaning of a database query. That can lead to unauthorized data access, data modification, or authentication bypass.
The most important defense is to use parameterized queries so the database treats input as data instead of command logic. Pair that with least-privilege database access, solid testing, and secure development practices, and you remove most of the real risk.
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.