update page now

New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!

Home>

SQL injection

Code auf einem Screen

SQL Injection

SQL injection (SQLi) is a cyberattack in which attackers deliberately inject malicious code into SQL database queries to gain unauthorized access to databases, steal or manipulate sensitive data, or take over entire systems. SQL injection is one of the most dangerous and widespread methods of attacking web applications. Learn how SQL injection works, what variants exist, what consequences an attack can have, and how you can prevent SQLi – for example, with the Myra WAF.

SQL injection prevention with the Myra WAF
SQL Injection

01

What Is SQL Injection?

SQL injection is a common attack vector. SQL (Structured Query Language) is a widely used database language employed to create data structures in relational databases, as well as to manipulate and query data sets. Due to the widespread use of SQL, programs and web applications based on it are also highly attractive to attackers.

 

In an SQL injection attack (SQLi for short), cybercriminals exploit security vulnerabilities in the source code of software to inject their own commands or malicious code into programs, often via input fields. This allows attackers to gain access to valuable data records. Most SQL injection attacks are caused by flawed scripts and programs.

 

The Open Web Application Security Project (OWASP) has included SQL injection attacks in its reference list (OWASP Top 10) of the most critical security risks and attack vectors for web applications since 2003.

View SQL injection

02

How Does an SQL Injection Attack Work?

SQL injections are often designed to corrupt databases containing user or business data. Attackers specifically use metacharacters such as ', ;, --, or \ to extend or interrupt SQL commands.

 

In general, an SQL injection attack is always possible when:

  • User input is not validated or sanitized

  • Applications embed input data directly into SQL queries

  • Faulty scripts or CGI interfaces grant access to the database

 

Typical attack scenarios include:

  • Extracting data, e.g., passwords, email addresses, payment information

  • Manipulating data, e.g., granting admin privileges or falsifying records

  • Deleting data, e.g., emptying entire tables or databases

  • Gaining system access, e.g., taking over the server via a command-line shell

Example of an SQL injection attack

Retrieving a user by ID from a database is typically done via a REST API:

   https://myapi.com/users/123

This input would likely result in a (unparsed) query like this:

   SELECT * FROM users WHERE id = 123

If input validation is missing, an attacker can manipulate the URL:

   https://myapi.com/users/123;DELETE FROM users WHERE id != 0

The result: All user data will be deleted.

If the attacker has knowledge of the database's data structure, they could gain administrative privileges by adding or updating entries in the database:

   https://myapi.com/users/123;UPDATE users SET admin = 1 WHERE id = 456

Further detailed case studies of SQL injection attacks, including code examples, can be found on the OWASP Foundation website.

03


What Types of SQL Injection Are There?

There are several technical variants of SQL injection attacks. Here is an overview of the most important ones.

    Subtype

    Description

  • In-Band SQLi

    Error-based

    In-Band SQLi

    Union-based

    Blind SQLi

    Boolean-based

    Blind SQLi

    Time-based

    Out-of-Band SQLi

    In-Band SQLi

    Database error messages provide information about the database structure

    In-Band SQLi

    The UNION operator combines the results of multiple SELECT queries and returns them in the HTTP response

    Blind SQLi

    No direct output; the attacker infers the result based on true/false responses

    Blind SQLi

    Response delays reveal database contents

    Out-of-Band SQLi

    Data is exfiltrated via a separate channel (e.g., DNS)

    Variant
    Subtype
    Description

    In-Band SQLi

    Error-based

    Database error messages provide information about the database structure

    In-Band SQLi

    Union-based

    The UNION operator combines the results of multiple SELECT queries and returns them in the HTTP response

    Blind SQLi

    Boolean-based

    No direct output; the attacker infers the result based on true/false responses

    Blind SQLi

    Time-based

    Response delays reveal database contents

    Out-of-Band SQLi

    Data is exfiltrated via a separate channel (e.g., DNS)

    In-Band SQL Injection (directly visible)

    In-band SQLi involves two main techniques: error-based and union-based. Error-based injection exploits database error messages to gather information about the database structure. Union-based injection combines results from multiple tables using the UNION SQL operator, thereby enabling data extraction and unauthorized access.

    • Error-based: The attacker sends SQL queries that generate errors and analyzes the database server's error messages. This allows the attacker to obtain information about the database structure. In some cases, error-based SQLi alone is sufficient to compromise an entire database.

    • Union-based: Union-based SQL injection is an in-band technique that uses the UNION SQL operator to combine the results of two or more SELECT queries and return them as part of the HTTP response.

    Blind SQL Injection (not directly visible)

    Blind SQL injection is a type of SQLi attack in which the attacker asks the database true-or-false questions and determines the answer based on the application’s response. This attack method is often used when the web application does not return direct database output or error messages, meaning the attacker is acting “blindly.” Instead of reading data directly, the attacker asks the database specific questions and draws conclusions from the application’s behavior. There are two subtypes:

    • Boolean-based: The attacker sends SQL queries that cause the application to respond differently based on the result (true or false). Depending on the result, the content of the HTTP response either changes or remains the same.

    • Time-based: Time-based SQLi is an inferential technique in which an SQL query forces the database to wait for a specific period of time before responding. The response time can then be used to draw conclusions about the truth value of the query.

    Out-of-Band SQL Injection

    Out-of-band SQL injection is a rarely used variant of SQLi in which the attack and data exfiltration occur via two separate communication channels. The attacker injects SQL commands through the normal input channel, but the stolen data is not returned via the HTTP response; instead, it is actively transmitted from the database server to an external server controlled by the attacker, typically via a DNS or HTTP request. This method requires that the database server can initiate outgoing network connections, which is often prevented in well-secured environments.

    04

    What Are the Potential Consequences of SQL Injection Attacks?

    Using SQL injection, attackers can read sensitive data from the database, manipulate data (insert, update, delete), perform administrative operations on the database, and, in some cases, execute commands on the operating system.

     

    Affected organizations face the following risks:

    • Data loss: Customer data, passwords, and credit card information are stolen

    • Data manipulation: Database entries are altered or deleted

    • Privilege escalation: Attackers gain administrative privileges and, in the worst-case scenario, take over entire systems

    • Financial losses: If cybercriminals gain access to valuable data sets, the affected organizations become vulnerable to extortion. Added to this are the costs of damage remediation and potential fines.

    • Reputational damage: The serious impact of SQL injection attacks on the affected organization’s image – and thus on customer trust – should not be underestimated.

     

    Effective SQL injection protection is therefore not only a technical necessity but also a business imperative – to safeguard customer data, system integrity, and corporate reputation.

    Injection

    05

    How Can I Detect SQL Injection?

    By the time organizations discover security vulnerabilities in their solutions that allow SQL injection attacks, it is usually already too late. Those who do not identify the vulnerability in the source code beforehand are usually led to the corresponding error in the software by the consequences of a successful attack. Indications of this include data leaks, tampering with user accounts or data records, and error messages pointing to corrupted data. Abnormal queries on web servers also frequently indicate injection attempts.

     

    Typical signs of an SQL injection:

    • Unexpected database error messages in the browser

    • Changes to page content after entering special characters (', ;, --)

    • Delays when entering certain data (indicating a time-based SQLi)

    • Unusual data output or blank results pages

    Vernetzung von Geräten

    06

    How Can I Prevent SQL Injection?

    Preventing SQL injection requires a consistent combination of the most secure code possible, strict input validation, and an upstream Web Application Firewall (WAF). Effective SQL injection prevention relies on multiple layers of protection simultaneously, as no single measure alone can guarantee complete protection. When combined, the following measures help reliably ward off SQL injection attacks and permanently protect your web applications.

    1. Prepared Statements (Parameterized Queries)

    Prepared statements, or parameterized queries, are among the most important measures for SQL injection prevention at the code level. They prevent SQL injection by treating user input strictly as data, not as executable code. The SQL query is defined first, with placeholders reserved for user input. This input is then securely passed to the query, ensuring that no malicious SQL commands can be executed.

    2. Input Validation and Sanitization

    As a security measure to defend against SQL injection attacks, it is recommended to use well-written source code with strict validation and sanitization of input data. For example, only permitted character types and formats should be accepted, and certain special characters should be filtered out.

    3. Secure error handling

    The application must not disclose database error details to end users. Custom error pages and appropriate logging mechanisms should intercept database errors to prevent information leaks that could benefit attackers.

    4. Grant minimal database privileges (Least Privilege)

    Database users should only be granted the permissions they actually need. Role-based access control (RBAC) helps with this, limiting the potential damage of a successful attack.

    5. Implement a Web Application Firewall (WAF)

    A WAF filters incoming traffic based on defined rules and detects typical SQL injection patterns before they reach the application. As an upstream layer of protection, a WAF provides SQL injection protection that operates independently of the application code – and thus protects even when vulnerabilities in the code have not yet been fixed. This protection depends largely on the correct configuration of the filter rules.

    Myra WAF

    07

    How Does Myra WAF Help With SQL Injection Protection?

    The Myra WAF offers reliable protection against SQL injection and other common attack patterns such as cross-site scripting (XSS) or directory traversal. As an upstream security solution, the WAF detects SQL injection attacks and blocks them before they reach your web applications, ensuring effective SQL injection prevention without modifying the application code. Myra provides predefined standard rules (Myra Tags) for this purpose. Additionally, you can define your own WAF rules to defend against further threats according to your requirements. You can find more information on related attack vectors in our articles on cross-site scripting and the OWASP Top 10.

     

    Learn more about the Myra WAFAlso available as Managed WAF service

    Frequently Asked Questions About SQL Injection

    SQL injection (SQLi) is a cyberattack in which attackers deliberately inject malicious SQL commands into a web application. The goal is to gain unauthorized access to databases, steal or manipulate sensitive data, or take over entire systems. According to OWASP, SQL injection is one of the most critical security risks for web applications.

    About the author

    Björn Greif

    Senior Editor

    About the author

    Björn started his career as an editor at the IT news portal ZDNet in 2006. 10 years and exactly 12,693 articles later, he joined the German start-up Cliqz to campaign for more privacy and data protection on the web. It was then only a small step from data protection to IT security: Björn has been writing about the latest trends and developments in the world of cybersecurity at Myra since 2020.

    © Myra Security GmbH 2026, all rights reserved

    Made in Germany.

    Responsible DisclosureLegal noticePrivacy policyPrivacy SettingsTerms and Conditions