Tutorials › Cybersecurity and AI Security › SQL Injection

SQL Injection

6 min read Quiz at the end

SQL injection attacks execute malicious SQL — defend with parameterised queries, never string concatenation.

SQL Injection (SQLi)

# Vulnerable code (PHP)
$query = "SELECT * FROM users WHERE email = '" . $_POST['email'] . "'";
# Attack: email = ' OR '1'='1
# Result: SELECT * FROM users WHERE email = '' OR '1'='1'
# Returns ALL users!

# Attack 2: UNION-based extraction
# email = ' UNION SELECT username,password,null FROM users--
# Dumps all credentials

# Attack 3: blind boolean
# email = alice@test.com' AND SUBSTRING(password,1,1)='a'--

# DEFENCE 1: Parameterised queries (always use this)
# PHP PDO
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
$stmt->execute([$_POST['email']]);

# Python
cursor.execute('SELECT * FROM users WHERE email = %s', (email,))

# DEFENCE 2: Input validation
if not re.match(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}$', email):
    raise ValueError('Invalid email')

# DEFENCE 3: Least privilege DB user
# webapp user has SELECT, INSERT, UPDATE only
# NO DROP TABLE, NO FILE privileges

← OWASP Top 10 Next: Authentication and Session Security →

Topic Quiz · 1 questions

Test your understanding before moving on

1. What is the correct defence against SQL injection?

💡 Parameterised queries ensure user input is always treated as data, never as executable SQL code.

Quick Access

SQL Injection

SQL Injection (SQLi)

Test your understanding before moving on