SQL Injection Attack

What Does SQL Injection Attack Mean?

An SQL injection attack is an attempt to issue SQL commands to a database via a website interface. This is to gain stored database information, including usernames and passwords.


This code injection technique exploits security vulnerabilities in an application's database layer. Hackers exploit poorly coded websites and web apps to inject SQL commands, for example, taking advantage of a login form to gain access to the data stored in the database.

In simple terms, SQL injection attacks occur because the user-input fields permit the SQL statements to pass through and directly query the database.

Techopedia Explains SQL Injection Attack

Modern websites include login pages, search pages, support and product request forms, shopping carts, feedback forms and so on.

These website features are all vulnerable to SQL injection attacks due to the availability of user-input fields. An attacker can easily execute arbitrary SQL statements if these websites are prone to SQL injection. This may compromise the databases’ integrity and can expose sensitive data.

Based on the back-end database used, SQL injection vulnerabilities can result in varying levels of injection attacks. Attackers may manipulate existing queries, use subselects, or add additional queries. In some instances, it may be even possible to read in or write out to files. Also, the attackers may execute shell commands on the root operating system (OS).

Some SQL Servers like Microsoft SQL Server incorporate stored and extended procedures. If an SQL injection attacker obtains access to these procedures, it can lead to highly undesirable outcomes. Improperly coded websites and webapps are always prone to this kind of attack.

The ideal way to avoid injection attacks is by detecting the vulnerabilities of websites and web apps before going live. There are automated SQL injection scanners which help the penetration testers verify the vulnerability of websites and web apps for potential SQL injection attacks.

This helps the web admin to instantly fix the vulnerable code and protect the websites from any potential SQL injection attacks.


Related Terms

Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.