Skip to main content

What is SQL injection?

2nd October 2025

How could your systems be tricked into executing unintended commands?

To understand how this attack works, first we need to understand how SQL works. SQL, or Structured Query Language, is the standard language used to interact with relational databases. IT is what most web applications use to manage user data, content and transactions.

Some examples of SQL include:

·         SELECT – Retrieving data

·         INSERT – Inserting new records

·         UPDATE – Updating existing records

·         DELETE – Deleting records

To give an example of how this works, if a user logs in, the application might run a query like:

SELECT * FROM users WHERE username = ‘interfuture’ AND password = ‘secure123’;

It looks more complicated than it is: bottom line, SQL injection involves exploiting this to breach systems, bypass security and takeover systems.

In SQL injection, malicious SQL code is inserted into an input field. This tricks the application into executing unintended commands, exploiting vulnerabilities in how user input is handled, particularly when input is directly embedded into SQL queries with proper validation. To explain using an example, say you had a login form with this query:

SELECT * FROM users WHERE username = ‘userinput’ AND password = ‘passinput’;

If the attacker was to the enter both the username and password as ‘ OR ‘1=’1 the query becomes:

SELECT * FROM users WHERE username  =  ‘ ‘ OR ‘1’=’1’ AND password  =  ‘ ‘ OR ‘1’=’1’;

Since ‘1’=’1’ is always true, the query returns all users, granting unauthorised access. There are four types of SQL injection:

·         Classic – direct manipulation of SQL queries via input fields

·         Blind – the attacker asks the database true or false questions and guesses at data based on the responses

·         Time-based blind – uses SQL commands that cause delays, like WAITFOR or DELAY to infer information based on response time

·         Out-of-band – exploits features like DNS or HTTP requests to exfiltrate data when standard methods are viable

Again, complicated, but what does it mean for you? An SQL injection attack can lead to data being accessed (like user passwords or financial records), manipulated or, in extreme cases, the entire system can be taken over by commands being executed on the underlying server, as attackers are able to log in as an admin or other users.

Since these attacks are so simple to execute and work effectively, they are popular among attacks – do you have the right coding practices and security in place to defend against them effectively?

If you don’t think your cyber security could handle an SQL injection, or if you just have any questions, please contact Interfuture Security – we can help!

YouTube: https://youtu.be/ibj3qJb7L2s

Back to top