SQL Injection Attack: Mermaid Flowchart Diagram

About Source

SQL injection is a code injection attack where an attacker inserts malicious SQL syntax into user-controlled input that is concatenated directly into a database query, causing the database to execute unintended commands.

It remains one of the most critical web application vulnerabilities (consistently in the OWASP Top 10) because the consequences are severe: unauthorized data disclosure (dumping entire tables), data modification or deletion, authentication bypass, and in some configurations, remote code execution via database features like xp_cmdshell in SQL Server.

The vulnerability arises from string concatenation. Consider a login query built as: "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'". If an attacker enters admin' -- as the username, the resulting query becomes SELECT * FROM users WHERE username = 'admin' --' AND password = '...'. The -- starts a SQL comment, nullifying the password check entirely. The attacker logs in as admin without a valid password.

More destructive payloads use UNION SELECT to extract data from other tables, ; DROP TABLE users; -- to delete data, or boolean-based and time-based blind injection techniques to exfiltrate data one bit at a time even when the application doesn't return query results.

The definitive prevention is parameterized queries (prepared statements). Instead of building SQL strings, you pass the query template and user input as separate values: SELECT * FROM users WHERE username = ? AND password = ?. The database driver handles escaping and ensures user input is always treated as a data value, never executable SQL syntax. ORMs that use parameterized queries under the hood provide the same protection. Input validation (rejecting unexpected characters) and a web application firewall are complementary layers but not substitutes for parameterized queries.

Frequently asked questions

SQL injection is a code injection vulnerability where an attacker inserts SQL syntax into user-controlled input that is concatenated directly into a database query. The database interprets the injected syntax as commands, enabling the attacker to read, modify, or delete data, bypass authentication, or in some cases execute operating system commands.

Parameterized queries separate the SQL command template from the user-supplied values. The database receives the query structure and the parameter values independently and always treats the parameter values as data — never as SQL syntax. There is no concatenation step where injected SQL can alter the query structure.

Classic (in-band) injection returns results directly in the response. Union-based injection appends a `UNION SELECT` to extract data from other tables. Boolean-based blind injection infers data one bit at a time from true/false application responses. Time-based blind injection uses functions like `SLEEP()` to exfiltrate data based on response delays when no output is visible.

mermaid

flowchart TD
    subgraph Vulnerable Code Path
        A[User input: username field\nValue: admin or 1 equals 1 --] --> B[App concatenates input\ninto SQL string directly]
        B --> C["Resulting query:\nSELECT * FROM users\nWHERE username = 'admin' OR 1=1 --'"]
        C --> D[Database executes\nmanipulated query]
        D --> E[1=1 always true\nReturns all users]
        E --> F[Attacker bypasses login\nor dumps entire table]
    end

    subgraph Secure Code Path
        G[User input: username field\nValue: admin or 1 equals 1 --] --> H[App uses parameterized query\nSELECT * FROM users WHERE username = ?]
        H --> I[Input passed as\nbind parameter not SQL]
        I --> J[Database treats input\nas literal string data]
        J --> K[Query finds no user\nnamed that exact string]
        K --> L[Login fails safely\nNo injection possible]
    end