WAFPlanet

SQL Injection (SQLi)

Attack Types

Quick Definition

An attack technique that exploits vulnerabilities in an application's database layer by inserting malicious SQL code into queries.

What is SQL Injection?

SQL Injection (SQLi) is one of the oldest and most dangerous web application vulnerabilities. It occurs when an attacker is able to insert or "inject" malicious SQL code into a query that an application sends to its database. This happens when user input is incorrectly filtered or not properly parameterized.

SQL injection attacks can:

  • Bypass authentication to gain unauthorized access
  • Read sensitive data from the database
  • Modify or delete data
  • Execute administrative operations on the database
  • In some cases, execute commands on the operating system

There are several types of SQL injection:

  • In-band SQLi: The attacker uses the same channel to launch the attack and gather results (error-based, UNION-based)
  • Blind SQLi: No visible error messages; attacker infers data based on application behavior
  • Out-of-band SQLi: Data is retrieved using different channels (DNS, HTTP requests)

Examples

Consider a login form where the backend query is:

SELECT * FROM users WHERE username='$user' AND password='$pass'

An attacker entering admin'-- as the username would turn the query into:

SELECT * FROM users WHERE username='admin'--' AND password='...'

The -- comments out the rest of the query, allowing login without a password.

Frequently Asked Questions

How do WAFs protect against SQL injection?

WAFs use pattern matching and signature-based detection to identify SQL injection attempts in HTTP requests. They look for suspicious SQL keywords, special characters, and known attack patterns in query strings, form data, and headers. Advanced WAFs also use behavioral analysis to detect novel attacks.

Is parameterized queries enough to prevent SQL injection?

Parameterized queries (prepared statements) are the most effective defense against SQL injection at the application level. However, WAFs provide defense-in-depth by catching attacks at the edge, protecting legacy applications, and providing protection while code is being patched.