SQL Injection

Web Security πŸ•ΈοΈ β€’ Vulnerabilities 🚨 β€’ Secure Development βš™οΈ β€’ Sec+ Glossary πŸ“– β€’ Security+ 02 β€’ Difficulty: free

What is SQL Injection?

SQL Injection is a vulnerability that happens when untrusted input is inserted into a SQL query in an unsafe way, allowing an attacker to alter the query and interact with the database in unintended ways.

Examples

  • A login form builds a database query directly from what the user types, and an attacker enters crafted input that bypasses authentication.
  • A product search page sends unsanitized user input into a database query, allowing an attacker to force the application to reveal extra records.

Discover πŸ”Ž

Web applications often depend on databases for almost everything important. User accounts, passwords, customer profiles, orders, tickets, product data, and audit records are all commonly stored behind the application in structured tables. If the application talks to that database unsafely, the attacker may not need to break in through the operating system at all. The database can be manipulated through the application itself.

That is why SQL injection remains such an important security concept. The attacker is not simply sending bad input to cause a crash. The attacker is trying to change the meaning of the database query so the application asks the database the wrong question or performs the wrong action.

Remember: SQL injection happens when user input stops being treated as data and starts being treated as part of the command.

Summary πŸ“

SQL Injection is a vulnerability caused by unsafe handling of user input in database queries. It allows attackers to interfere with how an application talks to its database, which can lead to unauthorized access, data exposure, modification, or deletion. The core lesson is simple but essential: keep user input separate from SQL command structure.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.