Blog Details

Let's organize and enhance the information about SQL Injection

image
image

By S Poorna Mani Teja

24 March 2025

A Beginner's Guide to SQL Injection for Students

SQL Injection is a common hacking technique that targets vulnerabilities in a web application's database layer...

What is SQL Injection?

SQL Injection (SQLi) occurs when an attacker inputs malicious SQL code into a form field... 

  SELECT * FROM users WHERE username = 'user' AND password = 'pass';

If the application doesn't properly validate or sanitize the input... 

  SELECT * FROM users WHERE username = '' OR '1'='1' AND password = 'pass';

Types of SQL Injection

  • Classic SQL Injection: Directly injecting malicious SQL...
  • Blind SQL Injection: The attacker doesn't see the query results...
  • Time-Based SQL Injection: The attacker uses delays...
  • Out-of-Band SQL Injection: The attacker uses external channels...
  • Union-Based SQL Injection: The attacker uses the UNION operator...

How to Test for SQL Injection

To understand SQL Injection, you can practice on a safe, legal environment...

This command connects to a MySQL server hosted at docker.hackthebox.eu...

Common MySQL Commands for SQL Injection Testing

  • SHOW DATABASES; Lists all databases...
  • USE database_name; Switches to a specific database...
  • SHOW TABLES; Lists all tables...
  • DESCRIBE table_name; Shows the structure...
  • SELECT * FROM table_name; Retrieves all data...
  • SELECT column_name FROM table_name WHERE 1=1; A common starting point...

Example of SQL Injection Attack 

  SELECT * FROM products WHERE name LIKE '%[user_input]%';

If you input abc' UNION SELECT username, password FROM users --... 

  SELECT * FROM products WHERE name LIKE '%abc' UNION SELECT username, password FROM users --%';

How to Prevent SQL Injection

  • Use Prepared Statements: Instead of directly embedding user input... 
      $stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
  $stmt->execute([$username, $password]);
  • Input Validation: Ensure user input matches expected formats...
  • Escape Special Characters: If you must use user input...
  • Use Least Privilege: Ensure the database user account...
  • Use an ORM: Object-Relational Mapping tools...

Practice Safely and Ethically

Never test SQL Injection on systems you don’t own or have permission to test...

Security SQL Hacking
Share This Post

HackTheBox

Join The Club

Join Now