0% found this document useful (0 votes)
2 views3 pages

SQL

SQL Injection (SQLi) is a critical vulnerability in database-driven applications that allows attackers to manipulate SQL queries, leading to unauthorized access and data breaches. It is essential for professionals in database management and security to understand SQLi to prevent data theft, manipulation, and legal consequences. Prevention techniques include using prepared statements, input validation, and web application firewalls to secure applications against SQLi attacks.

Uploaded by

jm.dharani2005
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
2 views3 pages

SQL

SQL Injection (SQLi) is a critical vulnerability in database-driven applications that allows attackers to manipulate SQL queries, leading to unauthorized access and data breaches. It is essential for professionals in database management and security to understand SQLi to prevent data theft, manipulation, and legal consequences. Prevention techniques include using prepared statements, input validation, and web application firewalls to secure applications against SQLi attacks.

Uploaded by

jm.dharani2005
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

-Dharani JM(2303717610421075)

9-5-2025

SQL Injection - DBMS Assignment

Introduction

SQL Injection (SQLi) is one of the most dangerous and widespread vulnerabilities found in database-
driven applications. It allows attackers to manipulate SQL queries by injecting malicious code, often
through user inputs, to gain unauthorized access, manipulate, or destroy data stored in relational
databases.

SQL Injection is categorized under OWASP Top 10 vulnerabilities, reflecting its criticality in modern
web application security.

Importance of Understanding SQL Injection

Understanding SQL Injection is essential for database administrators, backend developers, and
security analysts. It not only helps prevent data breaches but also ensures data integrity,
confidentiality, and availability within enterprise systems.

How SQL Injection Works

Working Mechanism of SQL Injection

SQL Injection typically exploits vulnerabilities in input fields where user input is directly concatenated
into SQL queries without proper sanitization or validation.

Example of a vulnerable SQL query:

SELECT * FROM users WHERE username = '$username' AND password = '$password';

If an attacker enters:

• username: admin' --

• password: (anything)

The resulting query becomes:

SELECT * FROM users WHERE username = 'admin' --' AND password = '';

The -- starts a comment in SQL, effectively removing the password check. The attacker is logged in
without knowing the password.
Types of SQL Injection Attacks

Types of SQL Injection

a) Classic SQL Injection

Direct insertion of malicious code into user input to change the logic of SQL statements.

b) Blind SQL Injection

Occurs when the application does not show errors, but attackers observe the behavior of the system
to infer information (True/False logic).

c) Time-Based Blind SQLi

Uses delays (like SLEEP(5)) to test if queries are executing in the background.

d) Union-Based SQLi

Used to retrieve data from other tables by using the UNION SQL operator.

e) Error-Based SQLi

The attacker intentionally triggers database errors to extract information from the error messages.

Real-World Impacts and Case Studies

Real-World Consequences

• Data theft: Sensitive user data (usernames, passwords, credit cards) can be leaked.

• Data manipulation: Attackers can modify or delete records.

• Authentication bypass: Attackers can log in as administrators.

• Loss of trust: Affects reputation of organizations.

• Legal consequences: Non-compliance with data privacy laws like GDPR, HIPAA, etc.

Famous SQLi Attacks

• Sony Pictures (2011): Over 1 million user records stolen using SQLi.

• Heartland Payment Systems: SQLi contributed to the breach of over 100 million credit cards.

• Yahoo (2012): SQL Injection used to steal 450,000 email addresses and passwords.
Prevention Techniques & Conclusion

How to Prevent SQL Injection

Use Prepared Statements (Parameterized Queries)

Avoid string concatenation and use safe methods to pass data:

cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (username,


password))

Stored Procedures

Encapsulate SQL logic within database functions to isolate user input from query structure.

Input Validation

Reject or sanitize suspicious characters (', --, ;, etc.) before using inputs in queries.

Escaping User Input

Use database-specific functions to escape special characters.

Least Privilege Access

Database users should have the minimum privileges necessary to reduce the impact of a successful
injection.

Web Application Firewalls (WAFs)

WAFs can detect and block common SQL injection patterns before they reach the backend.

Conclusion

SQL Injection remains a significant threat in the cybersecurity world. Despite being an old
vulnerability, it continues to be exploited due to poor coding practices and lack of awareness. By
following secure coding techniques, validating inputs, and understanding the mechanics of SQLi,
developers and database professionals can build secure, resilient applications.

You might also like