Understanding SQL Injection: Types and Prevention

SQL injection vulnerabilities may affect any website or application that uses an SQL database. These databases include MySQL, Oracle, and SQL Server. Malicious actors may use them to gain unauthorized access to sensitive information. This can include customer information, personal data, and trade secrets.

Understanding SQLi’s particular vulnerability is vital for protecting your systems, products, and security infrastructure.

Table of Contents

What is SQL Injection?

SQL injection is a security vulnerability. It allows an attacker to interfere with the queries an application makes to its database. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database.
It usually occurs when untrusted data is improperly sanitized and then inserted into a SQL query. This can lead to unauthorized viewing of data, deletion of data, or other harmful activities.

SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization (Open Web Application Security Project) lists injections in their OWASP Top 10 2017 document as the number one threat to web application security.

How does SQL Injection works?

SQL injection typically occurs when user input is directly concatenated into a SQL query without proper validation or escaping.

Consequences of SQL Injection

1. Data Manipulation– Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges.

2. Denial of Service (DoS) – Malicious queries can overload the database server. This results in a denial of service. It makes the application unresponsive to legitimate users.

3. Unauthorized Changes – SQL also lets you alter data in a database and add new data. For example, in a financial application, an attacker can use SQL Injection to alter balances. They void transactions or transfer money to their account.

4. Data Loss – You can use SQL to delete records from a database, even drop tables. Even if the administrator makes database backups, deletion of data could affect application availability until the database is restored.

5. Backup Corruption – Attackers may also tamper with backups, making data recovery extremely difficult after an attack.

6. Access to Operating System – Advanced SQL injection attacks can provide access to the underlying operating system, allowing attackers to execute system commands.

7. Regulatory Fines – Non-compliance with data protection regulations like GDPR, HIPAA, or CCPA due to data breaches can result in hefty fines.

SQL Injection Example

In-band SQLi (Classic) SQL Injection Example

Below is a script in Java that tries to authenticate a user by querying the database:

String username = request.getParameter("username");
String forename = request.getParameter("forename");

String sql = "SELECT * FROM users WHERE username = '" + username + "' AND forename = '" + forename + "'";

Connection conn = DriverManager.getConnection(url, username, forename);
Statement stmt = conn.createStatement();
ResultSet result = stmt.executeQuery(sql);
if (result.next()) {
    // User is authenticated
    String status = result.getString("success");
    System.out.println("Login to the application");
} else {
    // Authentication failed
  System.out.println("Unable to Login");
}

Original SQL

SELECT * FROM users WHERE username = 'admin'  AND forename = 'admin';

If a malicious user inputs the username as ‘admin’ — AND forename as ‘admin’ fields:

SELECT * FROM users WHERE username = 'admin'  -- AND forename = 'admin';

The `—` is a comment marker in SQL, causing the rest of the query to be ignored. This effectively becomes:

SELECT * FROM users WHERE username = 'admin'

If there is a user with the username `admin`, the attacker would be logged in without providing the correct forename.

To prevent SQL injection, it is essential to use parameterized queries or prepared statements, which safely handle user input and separate SQL code from data.

String username = request.getParameter("username");
String forename = request.getParameter("forename");

String sql = "SELECT * FROM users WHERE username = ? AND forename = ?";

Connection conn = DriverManager.getConnection(url, username, forename);
PreparedStatement preparedStatement = conn.prepareStatement(sql);
preparedStatement.setString(1, username);
preparedStatement.setString(2, forename);
ResultSet result = preparedStatement.executeQuery();
if (result.next()) {
    // User is authenticated
       String status = result.getString("success");
       System.out.println("Login to the application");
} else {
    // Authentication failed
    System.out.println("Unable to Login");
}

In this example, the `?` placeholders are used in the SQL query, and setString safely assigns the user input to the query parameters, ensuring that special characters are correctly escaped and handled.

Example of a Union-Based SQL Injection

SELECT ProductName, ProductDescription, ProductCost
FROM Products
WHERE ProductId = '100' UNION SELECT Username, Password FROM Users;

Using the UNION SELECT statement, this query combines the request for item 100’s name and description and cost with another that pulls names and passwords for every user in the database.

Types of SQL Injection

SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi.

In-band SQL Injection

In-band SQL injection is the most common type of attack. With this type of SQL injection attack, a malicious user uses the same communication channel for the attack. The same channel is used to gather results.

Error-based SQL Injection: This technique allows attackers to gain information about the database structure. They achieve this by using a SQL command to generate an error message from the database server. Error messages are useful during the development of a web application or web page. However, they can be a vulnerability later. This is because they expose information about the database. Attackers intentionally force the application to generate errors through malformed queries.

Union-based SQL injection: This technique involves attackers using the UNION SQL operator. They combine multiple select statements to return a single HTTP response. An attacker can use this technique to extract information from the database.

Inferential SQL Injection

Inferential SQL injection is also called blind SQL injection because the website database doesn’t transfer data to the attacker like with in-band SQL injection. Instead, a malicious user can learn about the structure of the server by sending data payloads and observing the response.

Boolean injection: With this technique, attackers send a SQL query to the database and observe the result. Using true/false statements to infer database information based on the application’s behavior.

Time-based injection: With this technique, attackers send a SQL query to the database. The query makes the database wait a specific number of seconds before responding. Attackers can determine if the result is true or false. They analyze how many seconds elapse before a response. For example, a hacker could use a SQL query. It commands a delay if the first letter of the first database’s name is A. Then, if the response is delayed, the attacker knows the query is true.

Out-of-Band SQL Injection

This type is less common but can be effective when other methods are not feasible. In this type of SQL injection attack, malicious users employ different communication channels. They use one channel for the attack and another to gather results. Attackers use this method if a server is too slow or unstable to use inferential SQL injection or in-band SQL injection.

Best Practices to Protect Your Database from SQL Injection

Install the latest software and security patches from vendors when available.
Conduct regular security testing, including penetration testing and code reviews, to identify and fix vulnerabilities before they are exploited
Always use prepared statements or parameterized queries that separate SQL code from data, ensuring user inputs are handled securely.
Configure error reporting instead of sending error messages to the client web browser.
Use stored procedures to build SQL statements with parameters that are stored in the database and called from the application.
Use allowlist input validation to prevent unvalidated user input from being added to query.

November 20, 2024March 26, 2025 vibssingh

SQL Multiple Choice Answers – MCQ3

Last Updated On

March 26, 2025

HOME

Welcome to the SQL Quiz!

SQL Multiple Choice Questions – MCQ3

Answers

1) d) We can insert and delete rows in a view

2) d) Order By

Order By clause is used to sort the retrieved data in ascending or descending order. Group By clause is used to group the result-set by one or more columns. Order and Group are not valid SQL commands.

3) a) True

NULL signifies an unknown value or a value which doesn’t exist during the creation of the record.

4) c) Drop

5) a) <>

6) c) Select top

7) d) Limit

All database systems does not supports SELECT TOP clause. It can be used in SQL. Mysql supports the LIMIT clause to fetch a limited number of records from the database table.

8) d) All correct

9) b) Selects a record if both conditions are true

10) b) Adds a value to a column’s existing value

11) a) True

12) d) No syntax error

13) d) No error

14) a) XOR operator

SQL does not have an XOR logical operator. Use AND/OR instead.

15) d) All Correct

The compound operator ‘*=’ is correctly used to double the salary of specified employees.

16) a) It functions as a WHERE clause

Without GROUP BY, HAVING functions like a WHERE clause, filtering rows based on specified conditions.

17) a) The query fails

Using a column in SELECT that is not part of GROUP BY without an aggregate function causes the query to fail.

18) c) GROUP BY Salary

GROUP BY should be used with the column mentioned in SELECT, here it should be GROUP BY Department.

19) d) HAVING AverageSalary > 50000

HAVING should be used with an aggregate function directly, not with an alias.

20) a) SELECT Name

Name should be included in the GROUP BY clause or used within an aggregate function.

21) d) No Error

The query correctly groups by Department and uses HAVING to filter groups.

22) d) All Correct

ORDER BY 3 is correct, indicating ordering by the third column in the SELECT list.

23) c) WHERE MAX(Salary) > 50000

Aggregate functions such as MAX should be used in the HAVING clause when filtering groups created by the GROUP BY clause.

24) c) No error

The query correctly uses HAVING with ALL to compare counts across departments.

25) c) HAVING clause misuse

The original statement had an error in the HAVING clause. It incorrectly used the alias ‘TotalEmployees’. The correct HAVING clause should be “HAVING COUNT(*) > 5”.

November 4, 2024November 4, 2024 vibssingh

SQL Multiple Choice Answers – MCQ2

Last Updated On

November 4, 2024

HOME

Welcome to the SQL Quiz!

SQL Multiple Choice Questions – MCQ2

Answers

1) c) Organized collection of data or information that can be accessed, updated, and managed

2) c) Table

3) a) All Correct

4) c) WHERE clause

The WHERE clause is incomplete and needs a condition to specify which records to update.

5) a) True

6) a) SELECT * FROM Employees WHERE FirstName=’Peter’ AND LastName=’Jackson’

7) a) All Correct

8) b) >= ‘2023-06-01’

The OR operator should be followed by a complete condition, including the column name.
SELECT * FROM Orders WHERE OrderDate >= ‘2023-01-01’ OR OrderDate >= ‘2023-06-01’;

9) c) HAVING

10) c) No error

11) a) SELECT * FROM Employees WHERE LastName BETWEEN ‘Hansen’ AND ‘Pettersen’

12) a) SELECT DISTINCT

13) a) ORDER BY

14) a) SELECT * FROM Employees ORDER BY FirstName DESC

15) a) INSERT INTO Employees VALUES (‘Jimmy’, ‘Jackson’)

16) a) INSERT INTO Persons (LastName) VALUES (‘Olsen’)

17) c) To give users access privileges

18) b) Removes specific access privileges from users

19) d) All Correct

20) c) ON Database

This is because the REVOKE statement usually specifies the type of object (such as a) specific table or schema) with tables). Just mentioning Database without specifying an object within it is incorrect. The corrected syntax typically needs to look like:

REVOKE INSERT, UPDATE ON Database.* FROM user123;

21) a) UPDATE Employees SET LastName=’Nilsen’ WHERE LastName=’Hansen’

22) a) DELETE FROM Employees WHERE FirstName = ‘Peter’

23) a) SELECT COUNT(*) FROM Employees

24) d) INNER JOIN

25) a) BETWEEN

October 21, 2024November 27, 2024 vibssingh

SQL Multiple Choice Answers – MCQ1

Last Updated On

November 27, 2024

HOME

Welcome to the SQL Quiz!

SQL Multiple Choice Questions – MCQ1

Answers

1) a) Structured Query Language

2) a) CREATE TABLE

CREATE TABLE Students (ID int PRIMARY KEY, Name varchar(50));

3) a) SELECT

SELECT column1, column2, ... FROM table_name;

4) a) Primary Key

5) c) Reduce data redundancy

6) c) Relational

7) a) Deletes a table called Student

8) a) UPDATE

UPDATE table_name
SET column1 = value1, column2 = value2, ...
WHERE condition;

9) a) INSERT INTO

INSERT INTO table_name (column1, column2, column3, ...)
VALUES (value1, value2, value3, ...);

10) a) DELETE

DELETE FROM table_name WHERE condition;

11) a) Select, From

12) d) ;

13) b) ALTER

ALTER TABLE table_name
ADD column_name datatype;

14) a) DROP deletes the table, TRUNCATE deletes only the table data

15) a) TABEL

16)

a) SELECT FirstName FROM Students

17)

a) SELECT * FROM Students

18)

a) SELECT * FROM Students WHERE FirstName='Peter'

19)

a) SELECT * FROM Students WHERE FirstName LIKE 'a%'

20) c) By ensuring all operations within the transaction are completed before committing

21) a) PRIMARY

It should be PRIMARY KEY instead of PRIMARY.

CREATE TABLE Students (ID int PRIMARY KEY, Name varchar(50));

22) d) All Correct

23) b) Modifies an existing record

24) c) Specifies which records to delete

25) a) All Correct

October 21, 2024March 26, 2025 vibssingh

SQL Multiple Choice Questions – MCQ1

Last Updated On

March 26, 2025

HOME

Welcome to the SQL Quiz! This blog post features 25 multiple-choice questions that explore essential concepts of SQL.

1. What does SQL stand for?

Select the best answer

a) Structured Query Language
b) Strong Question Language
c) Structured Question Language
d) None

What is SQL Injection?

How does SQL Injection works?

Consequences of SQL Injection

SQL Injection Example

In-band SQLi (Classic) SQL Injection Example

Example of a Union-Based SQL Injection

Types of SQL Injection

In-band SQL Injection

Inferential SQL Injection

Out-of-Band SQL Injection

Best Practices to Protect Your Database from SQL Injection

Connecting to SQL Server in Java

Get a connection to Database

Create a statement object

Execute the SQL query

Process the resultSet

Programming Languages

Java

Test Automation Frameworks

Selenium

Advance Selenium

Robot Framework

JUnit4

TestNG

API Testing

Rest API

Pytest Framework

DevOps & Continuous Integration/Continuous Deployment (CI/CD)

DevOps

Jenkins

Version Control Systems

Git

GitHub

Containerization

Docker

Database

SQL

Types of Testing

Security Testing

Performance Testing

ETL Testing