Web Culture

What Is An SQL Injection? [MakeUseOf Explains]

Joel Lee 11-09-2012

sql injectionThe world of Internet security is plagued with open ports, backdoors, security holes, Trojans, worms, firewall vulnerabilities and a slew of other issues that keep us all on our toes every day. For private users, viruses and worms seem to be the worst of the possibilities. But for anyone running a database, the SQL injection is one of the most destructive security flaws out there.


Databases are extremely valuable in the realm of computers. They’re essential for storing data as memory and showing the various relationships between points of data. Here at MakeUseOf, we have numerous databases dedicated to various tasks: one for all of our articles, one for our userbase, one for our Rewards program, and the list goes on. What happens when our databases are maliciously attacked – or even destroyed?

When you don’t have actual access to a database, the SQL injection is one of the most prominent forms of attack. Keep reading to learn what it is exactly and how it can be so dangerous.

What Is SQL, Anyway?

To understand SQL injection, you have to first understand what SQL is and how it relates to a website. SQL, which stands for Structured Query Language, is a type of programming language optimized for managing tabular data. For all intents and purposes, it’s just a way for programmers to communicate with a database and give it commands.

sql injection

Whenever a database is being acted upon, there are SQL commands being given and processed. If you think about all of the times when a database is being acted upon, you’ll conclude that it only happens in a handful of circumstances:

  • When new data needs to be inserted,
  • When current data needs to be changed,
  • When old data needs to be deleted,
  • When a particular piece of data needs to be searched and retrieved.

Any time one of these actions needs to occur, an SQL command is being executed somewhere on a server. For the most part, the programmer gets to determine when and where these SQL commands occur in the source code. However, there are unavoidable circumstances when a user can force a manipulation of a database – and those opportunities are all around you.

Have you ever logged into a website? Have you ever posted a comment on a blog article or a reply in a forum thread? Ever sent a Facebook message to a friend? Typed an email in Gmail? Searched for a website on Google? Any time you see an input field on a website (username, password, search query, message box, etc.), that text is sent to the database and acted upon.

Now, if a malicious user wanted to tamper with a database, there aren’t very many choices for him. One possibility would be to gain actual physical access to the server and destroy it at its base. But otherwise, it makes the most sense for the malicious user to hijack an existing SQL command when using an input field, thus forcing the server to perform a command different from what was originally intended.

The SQL Injection Technique

This act of hijacking an existing SQL command is what SQL injection refers to. Why is it called injection? Because hijacking an SQL command requires the user to inject his own SQL code when using an input field. Does that sound confusing? Let me illustrate with an example.


Consider MakeUseOf’s login page. When you enter your username and password and hit “Submit“, you’re forcing the web server to generate an SQL command that involves the information you just gave–that is, your username and password. The database receives the information, verifies that the username/password combination is correct, then gives you the proper access to other areas of the site.

what is sql injection

Now imagine what would happen if a malicious user didn’t enter his username and password, but instead typed an SQL command as his username? If the server code isn’t properly secured, the database will receive the faulty username (which is really an SQL command) and actually run it as a command.

And that’s why it’s called injection. The SQL command is injected into the database through entirely legitimate means, manipulating it such that it ends up doing something it wasn’t meant to do.


An Advanced Example

Up until now, I’ve described SQL injection in high-level terms so that anybody can understand–even those without programming knowledge. In this section, I’m going to give an actual example of how this technique is possible. If you’re an SQL newbie, or if you’ve never dealt with programming before, then you can quietly skip this section.

When logging into a website, here’s a possible way that the code could be written in SQL:

SELECT user_id
FROM users_db
WHERE username=’$username’ AND password=’$password’

Basically, the command asks the database to return all user_ids from the table users_db that match the inputted username and password combination. Looks all fine and dandy, right?

Let’s suppose that the login form was given the following inputs:


Username: David
Password: fubar’ OR ‘x’=’x

Notice that the password field does not begin or end with an apostrophe. When the server receives this login attempt, it will take everything given in the password field and put it in place of the $password in the code. The resulting SQL command will look like this:

SELECT user_id
FROM users_db
WHERE username=’David’ AND password=’fubar’ OR ‘x’=’x

When the server runs this command, the last part of that SQL command will always return true. This means that the malicious user could input any username and instantly gain access to that account because the login would work whether or not he got the password right.

sql injection

Of course, logging into someone’s account is a rather mild offense when you compare it to all the other possible hack attempts: deleting entire databases, mucking up all of the data, or even stealing the data in the databases.

Professional web developers are getting better and better at preventing such tricks, but every once in a while you’ll hear that a company suffered loss at the hands of an SQL injection attack. When it happens, you now know what it means and how it’s possible.

Image Credit: Intro Image Via Shutterstock, Database Schema Via Shutterstock, HACKED Via Shutterstock

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    February 27, 2013 at 2:38 am

    Thanks for the article. I had a tentative grasp on what SQL Injection was about -- now it's quite a bit clearer.

  2. Srinivas N
    September 24, 2012 at 10:03 am

    I have visited many websites to understand what actually this SQL injection is. They're too technical for me. This explanation cant get any better understood every bit of it. thanx joel

  3. Ali Khan
    September 18, 2012 at 7:13 am

    Excellent Article ...which is explained in simple and lucid manner.
    I hope more articles like this on MUO.
    Well done.

  4. josemon maliakal
    September 14, 2012 at 2:23 am

    hi there, the article is excellent and easy to understand ..can you please tell the methods on how to perform sql injection test on websites ???

  5. Dimal Chandrasiri
    September 13, 2012 at 5:01 pm

    this was very informative! Actually I'm an undergraduate IT student and was wondering what SQL injection is. this helped me a lot! thanks man! :)

  6. GrrGrrr
    September 12, 2012 at 4:37 pm

    Thanks Joel
    Nice article and worth reading.

    On this point "Consider MakeUseOf’s login page. When you enter your username and password and hit “Submit“", I see that MUO does not have any login, but uses either of the social networking sites for logging. So how is your example valid for MUO?

    • Joel Lee
      September 12, 2012 at 7:40 pm

      GrrGrr, it seems that MakeUseOf has gone through a slight design tweak since I wrote this article. However, the point remains valid for ANY website's login page. The important point is that most form fields can be vulnerable to an SQL injection if the code is not handled properly. :)

  7. Brian TKatch
    September 12, 2012 at 12:03 pm

    "the programmer gets to determine when and where these SQL commands occur in the source code."

    There is no need to execute it in the source code. A Stored Procedure is usually better (and then that SP is called). Regardless, the issue is not the SQL statement itself, but the parameters specified within it.

    A statement can accept parameters, in which case the database will make sure the parameters are of the correct type.

    SQL Injections happens when the programmer ignores the provided method for parametrization, and uses dynamic SQL. That is, he builds the statement on the fly. Building a statement allows any statement to be run, hence, SQL Injection.

    So, the easy rule is: Never use dyanmic SQL.

    Just use host variable and you will not have to worry about SQL injection.

  8. Freecycle Me
    September 12, 2012 at 10:21 am

    I have always known of these but never known in depth about them. Thank you for this and please consider writing more about these issues to help us web developers know the problems that can arise and how their sites are at risk. Knowledge is power, and its better if we all know.

  9. AP
    September 12, 2012 at 10:09 am

    Lucid explaination for those who are not programmers.

  10. Whomp Shanti
    September 12, 2012 at 8:51 am

    This is funny: everytime I ask myself some geeky question you guys seem to post an article on exact same matter in matter of days. Good article. Thanks.

  11. raman
    September 12, 2012 at 5:34 am

    A detailed explanation about sql injection.It will helpful to us for understanding and aware of sql injection.Thank you

  12. Rohan
    September 12, 2012 at 5:33 am

    Very informative article, plz tell me is there any plugin is available to prevent sql injection for wordpress ?

  13. Jack Cola
    September 12, 2012 at 3:49 am

    If anyone is up to some further reading, I have posted an article on other methods, similar to an SQL injection attack which can compromise websites. Have a read at http://www.jackcola.org/blog/229-the-101-to-basic-hacking-how-to-hack-facebook-and-other-websites

  14. Sebastian Hadinata
    September 12, 2012 at 3:27 am

    Great explanation..

  15. Mark
    September 12, 2012 at 1:37 am

    hope it doesn't motivate those hackers-wannabe. :)

  16. Shakirah Faleh Lai
    September 12, 2012 at 1:04 am

    Havij made sql injection easier.

  17. Gary Smith
    September 11, 2012 at 11:38 pm

    Amazing, just yesterday I asked myself what does SQL (squirrel) mean. Your tweet lead me here to this article and I'm glad I read it all.
    My site is hosted by godaddy and my site has a form field (footer) for leaving any questions or comments a reader would like to input.

    Question: Can an SQL be performed from the form field (footer)?
    Wassup plug-in informs me of (might be) hack attempts, could this be due to the above question.

    • Joel Lee
      September 12, 2012 at 12:28 am

      Hey, glad that this article was of help to you. :)

      SQL injections can happen in a number of ways. The most common way is through a form field--yes, ANY form field. However, if your form field is supplied by a plugin, it is up to the developer of that plugin to keep these SQL holes plugged. That's why software is so often updated with "security fixes"--sometimes, they're fixing these SQL holes that they once overlooked.

      If you didn't code the form field yourself, then it all depends on the developer. If you DID code it yourself, then there are resources out there that will help you identify SQL vulnerabilities where injections could happen. That's outside of my expertise, unfortunately.

      If Wassup notifies you of a hack attempt, it's possible that it was an SQL injection attempt. However, it could also be a number of other possibilities. As long as Wassup catches it, you should have nothing to worry about (to my knowledge, at least).

      If you have any more questions, I'll try to answer them as best as I can.

      • Gary Smith
        September 12, 2012 at 12:50 am

        Thanks Joel, No, I didn't code the Wassup Plug-in! Someone from WordPress did. The form field has captcha (Blocks spam) -but- can captcha block SQL? I'm thinking it can't. Anyway Wassup plug-in is a tracker not the form field plug-in.

        Also I'm thinking the (might be) hack attempts are "Automation".
        If its to much to ask of you, could you look at this site and tell me from the front end, what you think and if I have any visible discrepancies. If you are unable to have a look see, I'm thankful your here. It really helps to be able to converse in such a direct manner -other- places aren't as open for discussion like MUO is. Which I have been following for nearly 5 yrs. now -but- only lately have begun to engage on MUO.


        • Joel Lee
          September 12, 2012 at 1:33 am

          Hey Gary. If your website is operated mainly through software and plugins that other people have developed, you have nothing to worry about UNLESS some sort of announcement is made that a particularly bad security hole has been found in something that you use. Otherwise, you shouldn't worry too much about it.

          We have a lot of pride in what we do here at MUO, so thanks for your kind words. Much appreciated. :)

        • Gary Smith
          September 12, 2012 at 1:53 am

          OK, thanks...Happy Computering!

      • Gary Smith
        September 12, 2012 at 12:53 am

        Site was removed. How can I get it to you. I'll try this way:
        If its not here, then it was removed again.

  18. dohRG
    September 11, 2012 at 10:06 pm

    Good explanation of something not often explained! thanks

    • Joel Lee
      September 11, 2012 at 10:41 pm

      Thank you. Glad it helped!

  19. Clyde Atwood
    September 11, 2012 at 10:04 pm

    I've been running Comodo Dragon browser, does that help? I let Comodo Dragon use their own server that is the proxy...

    • Joel Lee
      September 11, 2012 at 10:44 pm

      An SQL injection is not something you yourself need to worry about. Someone cannot "SQL inject" you and hack you in that way. The people who DO need to worry about SQL injections are those who run, administer, or code websites. These SQL vulnerabilities are server-side and affect the websites, not the users.

      So there's no need to worry on your end if you don't run a website, and as such, your browser choice shares nothing in common with an SQL injection attack. :)