What is SQL Injection?

Table of Contents 5 sections

What is SQL Injection?

SQL injection (SQLi) is one of the oldest, most prevalent, and most dangerous web application vulnerabilities. It occurs when an attacker is able to insert or "inject" malicious SQL code into queries that an application sends to its database. This happens when user-supplied input is incorporated into SQL statements without proper validation or sanitization, allowing the attacker to manipulate the query's logic to perform unauthorized operations on the database.

Despite being well-understood and preventable for over two decades, SQL injection consistently ranks among the top web application security risks in the OWASP Top 10. The vulnerability persists because many applications still construct SQL queries by concatenating user input directly into query strings rather than using parameterized queries. A successful SQL injection attack can grant an attacker complete control over the application's database, enabling data theft, data manipulation, authentication bypass, and in some cases, full server compromise.

Types of SQL Injection

In-band SQL injection is the most common and straightforward type. It includes error-based injection, where the attacker triggers database error messages that reveal information about the database structure, and union-based injection, where the attacker uses the UNION SQL operator to combine the results of the original query with data from other tables. These techniques allow attackers to extract data directly through the application's normal response channel.

Blind SQL injection occurs when the application does not display database errors or query results directly. Boolean-based blind injection relies on sending queries that produce different application behaviors depending on whether the injected condition evaluates to true or false. Time-based blind injection uses SQL commands that introduce deliberate delays, allowing the attacker to infer information based on the response time. Out-of-band SQL injection leverages database features that can make external network connections, such as DNS lookups or HTTP requests, to exfiltrate data through a separate channel when in-band techniques are not feasible.

SQL Injection in WordPress

WordPress sites are frequent targets for SQL injection attacks, primarily through vulnerabilities in third-party plugins and themes rather than in WordPress core itself. The WordPress core codebase uses the $wpdb class with prepared statements for database interactions, providing built-in protection against SQL injection. However, plugin and theme developers do not always follow these security practices, creating injection points that attackers actively scan for and exploit at scale using automated tools.

Common SQL injection vectors in WordPress include search forms, login pages, URL parameters used by plugins, AJAX handlers, and REST API endpoints that process user input without proper sanitization. Attackers use tools like SQLMap to automatically discover and exploit these vulnerabilities, often dumping the entire wp_users table to obtain administrator credentials or injecting malicious content into posts and pages. Keeping plugins and themes updated, removing unused ones, and using a Web Application Firewall (WAF) are critical defensive measures for WordPress sites.

How SQL Injection Works

Consider a simple login form that checks credentials with the query: SELECT * FROM users WHERE username = '[input]' AND password = '[input]'. If the application inserts user input directly without sanitization, an attacker can enter the username as admin' -- which transforms the query into: SELECT * FROM users WHERE username = 'admin' --' AND password = ''. The double dash comments out the password check, authenticating the attacker as the admin user without knowing the password.

More advanced injection techniques allow attackers to extract data from any table in the database, create new administrative accounts, read or write files on the server's filesystem, and even execute operating system commands through database features like xp_cmdshell in Microsoft SQL Server or LOAD_FILE and INTO OUTFILE in MySQL. Second-order SQL injection occurs when malicious input is stored in the database and later incorporated into a SQL query without sanitization, making it particularly difficult to detect through standard input validation alone.

Preventing SQL Injection

Parameterized queries, also known as prepared statements, are the primary and most effective defense against SQL injection. Instead of concatenating user input into SQL strings, parameterized queries use placeholders that the database driver fills with properly escaped values. This ensures that user input is always treated as data, never as executable SQL code, regardless of what the user enters. Every modern programming language and database framework provides support for parameterized queries.

Defense-in-depth measures complement parameterized queries to provide comprehensive protection. Input validation ensures that user-supplied data conforms to expected formats, lengths, and character sets. Least privilege database configurations limit the database user's permissions to only what the application requires, preventing an attacker from performing administrative operations even if injection is achieved. Web Application Firewalls (WAFs) detect and block common SQL injection patterns in real time. Regular security scanning with tools like SQLMap, OWASP ZAP, or commercial vulnerability scanners helps identify injection vulnerabilities before attackers do.