Featured image of post Web Security: How SQL Injection Attacks Work
Web Development SQL MySql SQLite Microsoft Sql Server Postgres Sql PHP Python Security ORM

Web Security: How SQL Injection Attacks Work

Putting Uninvited SQL... where its not supposed to go..

Once upon a time, in the dark and mysterious lands of the early 2000s, developers were happily building websites, blissfully unaware of the chaos that awaited them.

Enter SQL Injection (SQLi), the mischievous trick that allowed attackers to sneak into databases like a ninja in a tracksuit.

The first known SQLi attack was reported around 1998, and since then, it has caused billions of dollars in damage.

The early web was full of MySpace pages with tutorials on how to hand code your own website..

AND many of these original tutorials would have people dynamically make a SQL statement from the unfiltered input text to make a SQL statement..

Here is why that was bad:

Let’s say you have a simple login form that checks a user’s credentials against a database:

1

SELECT * FROM users WHERE username = 'admin' AND password = 'password123';

Nothing suspicious, right? But here’s where the magic (read: disaster) happens. What if an attacker enters this as the username?

1

admin' --

The query now looks like this:

1

SELECT * FROM users WHERE username = 'admin' --' AND password = 'password123';

Since -- is a comment in SQL, everything after it is ignored. Boom! Instant admin access.

The Classic ' OR '1'='1' Attack

Another famous trick is using always-true conditions:

1

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';

Since '1'='1' always evaluates to true, the database happily logs in anyone. Congratulations, you’re now an admin! (Just kidding, please don’t do this.)

How to Prevent SQL Injection (a.k.a. Don’t Be That Developer)

Now that you’re thoroughly terrified, let’s talk about fixing this mess.

1. Use Prepared Statements (aka The Silver Bullet)

Instead of embedding user input directly in SQL queries, use prepared statements.

Python Example (Using SQLite3):

1
2
3
4
5
6
7
8
9

import sqlite3

db = sqlite3.connect("users.db")
cursor = db.cursor()
username = input("Enter username: ")
password = input("Enter password: ")

cursor.execute("SELECT * FROM users WHERE username=? AND password=?", (username, password))
result = cursor.fetchone()

Notice how the input is handled separately? That’s because prepared statements prevent SQLi attacks by design.

2. Sanitize User Input (No Funny Business Allowed)

If you absolutely must work with raw queries, validate and escape input.

3. Use ORM Frameworks

ORMs like SQLAlchemy (Python) or Entity Framework (C#) automatically handle input safely.

4. Restrict Database Privileges

Don’t give every application full database access. Use least privilege principles.

5. Monitor and Log Suspicious Activity

Use Web Application Firewalls (WAFs) and logging systems to detect and block attacks in real time.

SQL Injection vs Other Attacks (A Quick Comparison)

Attack TypeWhat It DoesHow Bad Is It?
SQL InjectionManipulates database queries🚨🚨🚨 (Very bad!)
XSS (Cross-Site Scripting)Injects malicious scripts into webpages😱 (Bad, but fixable)
CSRF (Cross-Site Request Forgery)Forces users to perform actions🤨 (Annoying, but preventable)
DDoS (Distributed Denial of Service)Overloads servers😤 (Painful, but survivable)

Final Thoughts

SQL Injection is one of the oldest and deadliest web vulnerabilities.

If you’re a developer, always use prepared statements, validate input, and secure your database.

References

© 2001 - 2025 Brian Braatz Blog