SQL Injection (SQLi)

Definition:
SQL Injection (SQLi) is a code injection attack where attackers insert malicious SQL
code into input fields (like username or password) to manipulate the backend
database.

Why it works:
SQL does not separate data from commands. So, when user input is directly
inserted into an SQL query, the database may interpret it as part of the SQL command.

Where it occurs:

o Login forms
o Search boxes
o URL query strings
o Any area where user input is used to build SQL queries

How it’s done:

Attackers inject SQL code like ' OR '1'='1 into input fields to alter the logic of the
SQL query.

Example:

Normal query:

SELECT * FROM users WHERE username='john' AND password='1234';

Injected input:

username='john' OR '1'='1'

Modified query:

SELECT * FROM users WHERE username='john' OR '1'='1';

This makes the condition always true, allowing access.

Impacts of a successful SQLi attack:

o Bypass authentication
o View, modify, or delete sensitive data
o Execute database administration operations
o Read system files on the server
o Execute OS-level commands (in some cases)
Types of SQL Injection (SQLi)

SQL Injection attacks can be classified into three main categories:

1⃣ In-band SQLi (Classic SQLi)

➡ Most common and easiest to exploit.

➡ Uses the same channel for both the attack and receiving data.

a. Error-based SQLi

 Relies on error messages from the database server.

 Errors help attackers understand database structure.
 Often enough to extract full data if detailed errors are shown.
 Best practice: Disable detailed errors on live sites.

b. Union-based SQLi

 Uses the **UNION** SQL operator to merge results of two queries.

 Returns data from other database tables via the same response.
 Easy way to leak sensitive data.

2⃣ Inferential SQLi (Blind SQLi)

➡ No direct data is returned.

➡ Attacker infers information by observing the application’s behavior.

a. Boolean-based (Content-based) Blind SQLi

 Sends queries that return TRUE or FALSE.

 Application response (content change or no change) helps the attacker guess values.
 Used to brute-force database information.
 Slow and time-consuming, but effective.

b. Time-based Blind SQLi

 Injects queries that cause a delay in the server response if the condition is true.
 Example: IF(condition, SLEEP(5), 0)
 Measures response time to infer data.
 Useful when there’s no visual change in the app response.
3⃣ Out-of-band SQLi

➡ Used when in-band and inferential SQLi are not possible.

➡ Sends data through a different channel like DNS or HTTP.

 Requires special features to be enabled on the DBMS.

 Used in unstable networks or apps where time-based SQLi is unreliable.
 Example techniques:
o Microsoft SQL Server: xp_dirtree to make DNS requests.
o Oracle Database: UTL_HTTP to send HTTP requests to an attacker's server.
 Can be used to exfiltrate data externally.

Here’s a point-wise explanation of the topic "Protection Against SQL Injection (SQLi)
Attacks" and its consequences, based on your input — ideal for a 16-mark question format.

✅ Protection Against SQLi Attacks – Point-wise

1. Use Parameterized Queries (Prepared Statements)

o Always use placeholders (?) for inputs instead of directly inserting them into SQL
statements.
o Example (in Java):
o PreparedStatement stmt = conn.prepareStatement("SELECT * FROM
users WHERE username = ? AND password = ?");
o This ensures input is treated as data, not executable code.
2. Use Stored Procedures
o Stored procedures are precompiled SQL code stored in the database.
o They limit query types and reduce the risk of dynamic code execution.
3. Avoid Dynamic SQL
o Dynamic SQL involves building queries at runtime using user input — which is
risky.
o Prefer static queries or use strong validation if dynamic queries are absolutely
necessary.
4. Input Validation
o Use whitelisting to allow only safe characters (e.g., only letters and digits).
o Reject dangerous characters like ', ", ;, --, etc.
5. Sanitize Inputs
o Remove or escape special characters that could alter SQL syntax.
o Sanitize all data coming from external sources including forms, cookies, headers,
etc.
6. Block Known Malicious Input
o Use blacklists to detect common attack patterns.
 o However, this method is less reliable due to encoding tricks and obfuscation by
attackers.
7. Prevent Case-sensitive and Encoding Bypasses
o Filters must handle different cases (SELECT, select, SeLeCt, etc.).
o Decode any encoded input before validation to prevent bypass.
8. Use Web Application Firewalls (WAF)
o WAFs can help detect and block SQLi attempts using signature-based or
anomaly-based detection.
9. Use HTTPS Decryption for Detection
o Many SQLi payloads come through encrypted HTTPS (port 443).
o Use security tools that support decryption of TLS 1.3 and Kerberos to inspect and
detect SQLi payloads.

The Injection Technique – How SQLi Occurs

1. Untrusted Data Entry

o An attacker enters malicious input into fields like username, password, or search
boxes.
2. Dynamic Query Construction
o The application builds a query using that input directly, leading to unintended
SQL execution.

Consequences of SQL Injection

1. Loss of Confidentiality
o Sensitive data like usernames, passwords, credit card numbers can be leaked.
2. Bypass Authentication
o Attackers can log in as other users without knowing passwords (e.g., using ' OR
'1'='1).
3. Authorization Bypass
o Attackers can elevate privileges or access areas/data they’re not supposed to.
4. Loss of Integrity
o Data can be modified or deleted — affecting trust and system reliability.