SQL Injection

SQL Injection occurs when untrusted input is incorporated into a SQL query and executed without proper validation or escaping. This enables an adversary to alter the structure of the query, execute arbitrary SQL commands, modify or delete data, and extract sensitive information. In some database engines, SQL injection can be leveraged to execute operating system commands, escalating impact to full system compromise.

Remediation

Never construct SQL queries through string concatenation or direct interpolation of user input.
Use parameterised queries or prepared statements (`?` or `$1` placeholders) to enforce strong separation between code and data.
Where possible, use Object Relational Mappers (ORMs) that generate parameterised queries by default.
Apply least-privilege principles to database accounts; restrict write and administrative rights to minimise impact.
Employ allow-lists for input validation (e.g., numeric IDs only) when user input is used in query filters.
Monitor and log failed queries for early detection of attempted injection attacks.

Metadata

Severity: critical
Slug: sql-injection

CWEs

89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
20: Improper Input Validation
943: Improper Neutralization of Special Elements in Data Query Logic

OWASP

A03:2021: Injection

Available Labs

Open Typescript labs in SecDim Play for this vulnerability.

easy

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.