SQL Injection

An SQL injection is a form of cyberattack that targets database-linked websites and web applications. These attacks exploit poorly-configured website and database server software to trick a server into parsing SQL statements it otherwise would not carry out. These attacks may reveal sensitive personal and financial information, allow an attacker to change or delete information stored in a database, or provide other unauthorized access.

A website is vulnerable to an SQL injection when it accepts user input from a text form and includes it as part of an SQL query. Instead of filling out the form field with expected information (like a username), the attacker enters a text string that modifies the SQL query. For example, a hypothetical query might start with SELECT UserID, Name, Password FROM Users WHERE UserID = , followed by the input from a User ID form field. If the user enters their User ID, the query works as expected and pulls up their information.

An attacker injects unexpected text into a query statement to change it
An attacker injects unexpected text into a query statement to change it

However, if the server inserts input text into the query unrestricted, an attacker can use it to modify the SQL query statement itself. If instead of a User ID, someone enters the text 317 OR 1=1, the query becomes SELECT UserID, Name, Password FROM Users WHERE UserID = 317 OR 1=1;. Since OR 1=1 always resolves true, it overrides the User ID; the query instead returns the User IDs, names, and passwords of all entries in the Users table. Other types of code injection may allow an attacker to log in as a site administrator, delete records or tables from a database, or (in some extreme cases) inject and run shell scripts and other code.

A website administrator can prevent SQL injection attacks by keeping the server software up to date. It is also important to "sanitize" database inputs by restricting input text or by filtering out certain characters. Website administrators may also parameterize their SQL queries — using placeholders in the query that refer to the user input instead of inserting it directly into the query.

Updated March 20, 2023 by Brian P.

quizTest Your Knowledge

MIME types are also called what?

A
Media types
0%
B
File types
0%
C
App types
0%
D
Web types
0%
Correct! Incorrect!     View the MIME Type definition.
More Quizzes →

The Tech Terms Computer Dictionary

The definition of SQL Injection on this page is an original definition written by the TechTerms.com team. If you would like to reference this page or cite this definition, please use the green citation links above.

The goal of TechTerms.com is to explain computer terminology in a way that is easy to understand. We strive for simplicity and accuracy with every definition we publish. If you have feedback about this definition or would like to suggest a new technical term, please contact us.

Sign up for the free TechTerms Newsletter

How often would you like to receive an email?

You can unsubscribe or change your frequency setting at any time using the links available in each email.

Questions? Please contact us.