SQL Injection Attack
SQL injection occurs when user input is embedded directly into a SQL query without sanitization. An attacker can manipulate the query to bypass authentication, extract data, or destroy databases.
Attack State
Attacker
PROBING
Database
NORMAL
SQL Query (constructed by app)
SELECT * FROM users WHERE username = '?' AND password = '?'
Query Result
-
Prevention
How to fix
Use parameterized queries / prepared statements
Use an ORM (SQLAlchemy, Hibernate)
Validate & whitelist input
Least privilege DB accounts
Enable WAF rules
Use an ORM (SQLAlchemy, Hibernate)
Validate & whitelist input
Least privilege DB accounts
Enable WAF rules
Event Log