A injection SQL SQL injection (SQLi) is a malicious technique used by attackers to compromise the security of a web application.
This consists of inserting malicious SQL code into the input fields of a web application in order to manipulate the underlying database.. It uses vulnerabilities in the way the application handles user input and builds its SQL queries.
SQL injection is one of many types of malicious injections.
How it works
The basic principle is as follows:
- The attacker inserts malicious SQL code into an input field (form, URL, etc.)
- The application integrates this code without filtering it correctly in its SQL query
- The database executes the modified request, allowing the attacker to access or manipulate the data
👉 Examples
Here are some common examples of SQL injections:
- Authentication bypass :
sql
SELECT * FROM users WHERE username = admin --' AND password = 'password
- Le
--comments on the rest of the request, allowing you to connect without a password. - Data extraction :
sql
SELECT * FROM users WHERE id = 1 UNION SELECT username, password FROM users --
- This injection recovers all user names and passwords.
💉 What to do about it
There are a number of good practices you can follow to protect yourself:
- Use parameterised queries or stored procedures
- Validate and filter all user entries
- Apply the principle of least privilege for database accounts
- Use tools to detect and prevent SQL injections
- Training developers in good security practices
