SQL injection - Revision history

Materialscientist: Reverted edits by 88.212.130.144 (talk) (HG) (3.4.13)

2025-05-01T10:03:08Z

Reverted edits by 88.212.130.144 (talk) (HG) (3.4.13)

← Previous revision		Revision as of 10:03, 1 May 2025
Line 5:		Line 5:
	In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.		In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.

	SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, ~~allounavailable~~, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}		SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}

	SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

88.212.130.144: e

2025-05-01T10:02:44Z

← Previous revision		Revision as of 10:02, 1 May 2025
Line 5:		Line 5:
	In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.		In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.

	SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, ~~allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable~~, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}		SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, allounavailable, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}

	SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

FlutterDash344: Undid revision 1288232598 by 88.212.130.144 (talk)

2025-05-01T10:01:17Z

Undid revision 1288232598 by 88.212.130.144 (talk)

← Previous revision		Revision as of 10:01, 1 May 2025
Line 15:		Line 15:

	By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

			==Root cause==
			{{Norefs\|section\|date=March 2025}}
			SQL Injection is a common security vulnerability that arises from letting attacker supplied data become SQL code. This happens when programmers assemble SQL queries either by string interpolation or by concatenating SQL commands with user supplied data. Therefore, injection relies on the fact that SQL statements consist of both data used by the SQL statement and commands that control how the SQL statement is executed. For example, in the SQL statement <syntaxhighlight lang="sql" inline>select * from person where name = 'susan' and age = 2</syntaxhighlight> the string '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' is data and the fragment <syntaxhighlight lang="sql" inline>and age = 2</syntaxhighlight> is an example of a command (the value <syntaxhighlight lang="sql" inline>2</syntaxhighlight> is also data in this example).

			SQL injection occurs when specially crafted user input is processed by the receiving program in a way that allows the input to exit a data context and enter a command context. This allows the attacker to alter the structure of the SQL statement which is executed.

			As a simple example, imagine that the data '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' in the above statement was provided by user input. The user entered the string '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' (without the apostrophes) in a web form text entry field, and the program used [[string concatenation]] statements to form the above SQL statement from the three fragments <syntaxhighlight lang="sql" inline>select * from person where name='</syntaxhighlight>, the user input of '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>', and <syntaxhighlight lang="sql" inline>' and age = 2</syntaxhighlight>.

			Now imagine that instead of entering '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' the attacker entered <syntaxhighlight lang="sql" inline>' or 1=1; --</syntaxhighlight>.

			The program will use the same string concatenation approach with the 3 fragments of <syntaxhighlight lang="sql" inline>select * from person where name='</syntaxhighlight>, the user input of <syntaxhighlight lang="sql" inline>' or 1=1; --</syntaxhighlight>, and <syntaxhighlight lang="sql" inline>' and age = 2</syntaxhighlight> and construct the statement <syntaxhighlight lang="sql" inline>select * from person where name='' or 1=1; --' and age = 2</syntaxhighlight>. Many databases will ignore the text after the '--' string as this denotes a comment. The structure of the SQL command is now <syntaxhighlight lang="sql" inline>select * from person where name='' or 1=1;</syntaxhighlight> and this will select all person rows rather than just those named 'susan' whose age is 2. The attacker has managed to craft a data string which exits the data context and entered a command context.

	==Ways to exploit==		==Ways to exploit==

88.212.130.144: /* Root cause */

2025-05-01T10:01:01Z

Root cause

← Previous revision		Revision as of 10:01, 1 May 2025
Line 15:		Line 15:

	By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

	==Root cause==
	{{Norefs\|section\|date=March 2025}}
	SQL Injection is a common security vulnerability that arises from letting attacker supplied data become SQL code. This happens when programmers assemble SQL queries either by string interpolation or by concatenating SQL commands with user supplied data. Therefore, injection relies on the fact that SQL statements consist of both data used by the SQL statement and commands that control how the SQL statement is executed. For example, in the SQL statement <syntaxhighlight lang="sql" inline>select * from person where name = 'susan' and age = 2</syntaxhighlight> the string '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' is data and the fragment <syntaxhighlight lang="sql" inline>and age = 2</syntaxhighlight> is an example of a command (the value <syntaxhighlight lang="sql" inline>2</syntaxhighlight> is also data in this example).

	SQL injection occurs when specially crafted user input is processed by the receiving program in a way that allows the input to exit a data context and enter a command context. This allows the attacker to alter the structure of the SQL statement which is executed.

	As a simple example, imagine that the data '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' in the above statement was provided by user input. The user entered the string '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' (without the apostrophes) in a web form text entry field, and the program used [[string concatenation]] statements to form the above SQL statement from the three fragments <syntaxhighlight lang="sql" inline>select * from person where name='</syntaxhighlight>, the user input of '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>', and <syntaxhighlight lang="sql" inline>' and age = 2</syntaxhighlight>.

	Now imagine that instead of entering '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' the attacker entered <syntaxhighlight lang="sql" inline>' or 1=1; --</syntaxhighlight>.

	The program will use the same string concatenation approach with the 3 fragments of <syntaxhighlight lang="sql" inline>select * from person where name='</syntaxhighlight>, the user input of <syntaxhighlight lang="sql" inline>' or 1=1; --</syntaxhighlight>, and <syntaxhighlight lang="sql" inline>' and age = 2</syntaxhighlight> and construct the statement <syntaxhighlight lang="sql" inline>select * from person where name='' or 1=1; --' and age = 2</syntaxhighlight>. Many databases will ignore the text after the '--' string as this denotes a comment. The structure of the SQL command is now <syntaxhighlight lang="sql" inline>select * from person where name='' or 1=1;</syntaxhighlight> and this will select all person rows rather than just those named 'susan' whose age is 2. The attacker has managed to craft a data string which exits the data context and entered a command context.

	==Ways to exploit==		==Ways to exploit==

Materialscientist: Reverted edits by 88.212.130.144 (talk) (HG) (3.4.13)

2025-05-01T10:00:40Z

Reverted edits by 88.212.130.144 (talk) (HG) (3.4.13)

← Previous revision		Revision as of 10:00, 1 May 2025
Line 10:		Line 10:

	==History==		==History==
	Discussions of SQL injection began in the late 1990s, including in a 1998 article in [[Phrack Magazine]].<ref>{{cite journal\|title=NT Web Technology Vulnerabilities\|author=Jeff Forristal (signing as rain.forest.puppy)\|journal=[[Phrack Magazine]]\|volume=8\|issue=54 (article 8)\|date=Dec 25, 1998\|url=http://www.phrack.com/issues.html?issue=54&id=8#article\|url-status=live \|archive-		Discussions of SQL injection began in the late 1990s, including in a 1998 article in [[Phrack Magazine]].<ref>{{cite journal\|title=NT Web Technology Vulnerabilities\|author=Jeff Forristal (signing as rain.forest.puppy)\|journal=[[Phrack Magazine]]\|volume=8\|issue=54 (article 8)\|date=Dec 25, 1998\|url=http://www.phrack.com/issues.html?issue=54&id=8#article\|url-status=live \|archive-url=https://web.archive.org/web/20140319065810/http://www.phrack.com/issues.html?issue=54&id=8#article\|archive-date=March 19, 2014 \|language=en}}</ref> SQL injection was ranked among the top 10 web application vulnerabilities of 2007 and 2010 by the [[OWASP\|Open Web Application Security Project]] (OWASP).<ref>{{cite web \|title=Category:OWASP Top Ten Project \|url=https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project \|url-status=live \|archive-url=https://web.archive.org/web/20110519235909/https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project \|archive-date=May 19, 2011 \|access-date=2011-06-03 \|publisher=Open Web Application Security Project (OWASP) \|language=en}}</ref> In 2013, SQL injection was listed as the most critical web application vulnerability in the OWASP Top 10.<ref>{{cite web \|title=Category:OWASP Top Ten Project \|url=https://www.owasp.org/index.php/Top_10_2013-Top_10 \|url-status=live \|archive-url=https://web.archive.org/web/20131009150041/https://www.owasp.org/index.php/Top_10_2013-Top_10 \|archive-date=October 9, 2013 \|access-date=2013-08-13 \|publisher=Open Web Application Security Project (OWASP) \|language=en}}</ref>

			In 2017, the ''OWASP Top 10 Application Security Risks'' grouped SQL injection under the broader category of "Injection," ranking it as the third most critical security threat. This category included various types of injection attacks, such as SQL, [[NoSQL]], OS command, and [[LDAP injection]]. These vulnerabilities arise when an application processes untrusted data as part of a command or query, potentially allowing attackers to execute unintended actions or gain unauthorized access to data.<ref>{{Cite web \|title=OWASP Top 10 Application Security Risks - 2017 \|url=https://owasp.org/www-project-top-ten/2017/Top_10 \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

	By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

88.212.130.144: /* History */

2025-05-01T10:00:16Z

History

← Previous revision		Revision as of 10:00, 1 May 2025
Line 10:		Line 10:

	==History==		==History==
	Discussions of SQL injection began in the late 1990s, including in a 1998 article in [[Phrack Magazine]].<ref>{{cite journal\|title=NT Web Technology Vulnerabilities\|author=Jeff Forristal (signing as rain.forest.puppy)\|journal=[[Phrack Magazine]]\|volume=8\|issue=54 (article 8)\|date=Dec 25, 1998\|url=http://www.phrack.com/issues.html?issue=54&id=8#article\|url-status=live \|archive-url=https://web.archive.org/web/20140319065810/http://www.phrack.com/issues.html?issue=54&id=8#article\|archive-date=March 19, 2014 \|language=en}}</ref> SQL injection was ranked among the top 10 web application vulnerabilities of 2007 and 2010 by the [[OWASP\|Open Web Application Security Project]] (OWASP).<ref>{{cite web \|title=Category:OWASP Top Ten Project \|url=https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project \|url-status=live \|archive-url=https://web.archive.org/web/20110519235909/https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project \|archive-date=May 19, 2011 \|access-date=2011-06-03 \|publisher=Open Web Application Security Project (OWASP) \|language=en}}</ref> In 2013, SQL injection was listed as the most critical web application vulnerability in the OWASP Top 10.<ref>{{cite web \|title=Category:OWASP Top Ten Project \|url=https://www.owasp.org/index.php/Top_10_2013-Top_10 \|url-status=live \|archive-url=https://web.archive.org/web/20131009150041/https://www.owasp.org/index.php/Top_10_2013-Top_10 \|archive-date=October 9, 2013 \|access-date=2013-08-13 \|publisher=Open Web Application Security Project (OWASP) \|language=en}}</ref>		Discussions of SQL injection began in the late 1990s, including in a 1998 article in [[Phrack Magazine]].<ref>{{cite journal\|title=NT Web Technology Vulnerabilities\|author=Jeff Forristal (signing as rain.forest.puppy)\|journal=[[Phrack Magazine]]\|volume=8\|issue=54 (article 8)\|date=Dec 25, 1998\|url=http://www.phrack.com/issues.html?issue=54&id=8#article\|url-status=live \|archive-

	In 2017, the ''OWASP Top 10 Application Security Risks'' grouped SQL injection under the broader category of "Injection," ranking it as the third most critical security threat. This category included various types of injection attacks, such as SQL, [[NoSQL]], OS command, and [[LDAP injection]]. These vulnerabilities arise when an application processes untrusted data as part of a command or query, potentially allowing attackers to execute unintended actions or gain unauthorized access to data.<ref>{{Cite web \|title=OWASP Top 10 Application Security Risks - 2017 \|url=https://owasp.org/www-project-top-ten/2017/Top_10 \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

	By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

WikiCleanerBot: v2.05b - Bot T12 CW#548 - Fix errors for CW project (Punctuation in link - Link equal to linktext - tags)

2025-03-31T18:00:04Z

v2.05b - Bot T12 CW#548 - Fix errors for CW project (Punctuation in link - Link equal to linktext - <nowiki> tags)

← Previous revision		Revision as of 18:00, 31 March 2025
Line 14:		Line 14:
	In 2017, the ''OWASP Top 10 Application Security Risks'' grouped SQL injection under the broader category of "Injection," ranking it as the third most critical security threat. This category included various types of injection attacks, such as SQL, [[NoSQL]], OS command, and [[LDAP injection]]. These vulnerabilities arise when an application processes untrusted data as part of a command or query, potentially allowing attackers to execute unintended actions or gain unauthorized access to data.<ref>{{Cite web \|title=OWASP Top 10 Application Security Risks - 2017 \|url=https://owasp.org/www-project-top-ten/2017/Top_10 \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		In 2017, the ''OWASP Top 10 Application Security Risks'' grouped SQL injection under the broader category of "Injection," ranking it as the third most critical security threat. This category included various types of injection attacks, such as SQL, [[NoSQL]], OS command, and [[LDAP injection]]. These vulnerabilities arise when an application processes untrusted data as part of a command or query, potentially allowing attackers to execute unintended actions or gain unauthorized access to data.<ref>{{Cite web \|title=OWASP Top 10 Application Security Risks - 2017 \|url=https://owasp.org/www-project-top-ten/2017/Top_10 \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

	By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]~~<nowiki/>~~s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		By 2021, injection remained a widespread issue, detected in 94% of analyzed applications, with reported incidence rates reaching up to 19%. That year’s ''OWASP Top 10'' further expanded the definition of injection vulnerabilities to include attacks targeting [[Object Relational Mapping]] (ORM) systems, [[Expression language\|Expression Language]] (EL), and Object Graph Navigation Library (OGNL). To address these risks, OWASP recommends strategies such as using secure [[API]]s, parameterized queries, input validation, and escaping special characters to prevent malicious data from being executed as part of a query.<ref>{{Cite web \|title=OWASP Top 10 2021 \|url=https://owasp.org/Top10/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref><ref>{{Cite web \|title=A03:2021 – Injection \|url=https://owasp.org/Top10/A03_2021-Injection/ \|access-date=9 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

	==Root cause==		==Root cause==
Line 83:		Line 83:
	SQL injection is a well-known attack that can be mitigated with established security measures. However, a 2015 [[cyberattack]] on British telecommunications company [[TalkTalk Group\|TalkTalk]] exploited an SQL injection vulnerability, compromising the personal data of approximately 400,000 customers. The ''[[BBC]]'' reported that security experts expressed surprise that a major company remained vulnerable to such an exploit.<ref>{{Cite news \|date=October 26, 2015 \|title=Questions for TalkTalk - BBC News \|url=https://www.bbc.com/news/technology-34636308 \|url-status=live \|archive-url=https://web.archive.org/web/20151026113434/http://www.bbc.com/news/technology-34636308 \|archive-date=October 26, 2015 \|access-date=2015-10-26 \|work=BBC News \|language=en}}</ref>		SQL injection is a well-known attack that can be mitigated with established security measures. However, a 2015 [[cyberattack]] on British telecommunications company [[TalkTalk Group\|TalkTalk]] exploited an SQL injection vulnerability, compromising the personal data of approximately 400,000 customers. The ''[[BBC]]'' reported that security experts expressed surprise that a major company remained vulnerable to such an exploit.<ref>{{Cite news \|date=October 26, 2015 \|title=Questions for TalkTalk - BBC News \|url=https://www.bbc.com/news/technology-34636308 \|url-status=live \|archive-url=https://web.archive.org/web/20151026113434/http://www.bbc.com/news/technology-34636308 \|archive-date=October 26, 2015 \|access-date=2015-10-26 \|work=BBC News \|language=en}}</ref>

	A variety of defensive measures exist to mitigate SQL injection risks by preventing attackers from injecting malicious SQL code into database queries. Core mitigation strategies, as outlined by [[OWASP~~\|OWASP,~~]] include parameterized queries, [[input validation]], and least privilege access controls, which limit the ability of user input to alter SQL queries and execute unintended commands.<ref name=":0" /> In addition to preventive measures, detection techniques help identify potential SQL injection attempts. Methods such as [[pattern matching]], [[software testing]], and grammar analysis examine query structures and user inputs to detect irregularities that may indicate an injection attempt.<ref name="sfw2.12018" />		A variety of defensive measures exist to mitigate SQL injection risks by preventing attackers from injecting malicious SQL code into database queries. Core mitigation strategies, as outlined by [[OWASP]], include parameterized queries, [[input validation]], and least privilege access controls, which limit the ability of user input to alter SQL queries and execute unintended commands.<ref name=":0" /> In addition to preventive measures, detection techniques help identify potential SQL injection attempts. Methods such as [[pattern matching]], [[software testing]], and grammar analysis examine query structures and user inputs to detect irregularities that may indicate an injection attempt.<ref name="sfw2.12018" />

	=== Core mitigation ===		=== Core mitigation ===

Annh07: Reverted 1 edit by Miageorgia11 (talk): Spam

2025-03-27T10:45:24Z

Reverted 1 edit by Miageorgia11 (talk): Spam

← Previous revision		Revision as of 10:45, 27 March 2025
Line 177:		Line 177:
	* [http://go.microsoft.com/?linkid=9707610 SDL Quick security references on SQL injection] by Bala Neerumalla.		* [http://go.microsoft.com/?linkid=9707610 SDL Quick security references on SQL injection] by Bala Neerumalla.
	* [https://arstechnica.com/information-technology/2016/10/how-security-flaws-work-sql-injection/ How security flaws work: SQL injection]		* [https://arstechnica.com/information-technology/2016/10/how-security-flaws-work-sql-injection/ How security flaws work: SQL injection]
	* [https://www.firesand.co.uk/articles-research/posts/2023/october/primer-introduction-to-sql-injection-attacks/ Introduction to SQL Injection Attacks] \| By Chris Blake

	{{Information security}}		{{Information security}}

Miageorgia11: /* External links */ this link links to an article talking through SQL injection in more depth

2025-03-27T10:38:19Z

External links: this link links to an article talking through SQL injection in more depth

← Previous revision		Revision as of 10:38, 27 March 2025
Line 177:		Line 177:
	* [http://go.microsoft.com/?linkid=9707610 SDL Quick security references on SQL injection] by Bala Neerumalla.		* [http://go.microsoft.com/?linkid=9707610 SDL Quick security references on SQL injection] by Bala Neerumalla.
	* [https://arstechnica.com/information-technology/2016/10/how-security-flaws-work-sql-injection/ How security flaws work: SQL injection]		* [https://arstechnica.com/information-technology/2016/10/how-security-flaws-work-sql-injection/ How security flaws work: SQL injection]
			* [https://www.firesand.co.uk/articles-research/posts/2023/october/primer-introduction-to-sql-injection-attacks/ Introduction to SQL Injection Attacks] \| By Chris Blake

	{{Information security}}		{{Information security}}

Annh07: Reverted 1 edit by Miageorgia11 (talk): Spam

2025-03-25T13:06:52Z

Reverted 1 edit by Miageorgia11 (talk): Spam

← Previous revision		Revision as of 13:06, 25 March 2025
Line 172:		Line 172:

	==External links==		==External links==
	* [https://www.firesand.co.uk/articles-research/posts/2023/october/primer-introduction-to-sql-injection-attacks/ Introduction to SQL Injection Attacks] <ref>{{Cite web \|title=Primer: Introduction to SQL Injection Attacks \|url=https://www.firesand.co.uk/articles-research/posts/2023/october/primer-introduction-to-sql-injection-attacks/ \|access-date=2025-03-25 \|website=Firesand \|language=en}}</ref> by Chris Blake
	* [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html OWASP SQL Injection Cheat Sheets], by OWASP.		* [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html OWASP SQL Injection Cheat Sheets], by OWASP.
	* [http://projects.webappsec.org/SQL-Injection WASC Threat Classification - SQL Injection Entry], by the Web Application Security Consortium.		* [http://projects.webappsec.org/SQL-Injection WASC Threat Classification - SQL Injection Entry], by the Web Application Security Consortium.

← Previous revision		Revision as of 10:03, 1 May 2025
Line 5:		Line 5:
	In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.		In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.

	SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, ~~allounavailable~~, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}		SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}

	SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>

← Previous revision		Revision as of 10:02, 1 May 2025
Line 5:		Line 5:
	In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.		In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)\|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web \|title=SQL Injection \|author=Microsoft \|url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx \|access-date=2013-08-04 \|quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. \|url-status=live \|archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx \|archive-date=August 2, 2013 \|language=en}}</ref><ref name=sfw2.12018>{{Cite journal \|last1=Zhuo \|first1=Z. \|last2=Cai \|first2=T. \|last3=Zhang \|first3=X. \|last4=Lv \|first4=F. \|date=April 2021 \|title=Long short-term memory on abstract syntax tree for SQL injection detection \|journal=IET Software \|language=en \|volume=15 \|issue=2 \|pages=188–197 \|doi=10.1049/sfw2.12018 \|doi-access= \|s2cid=233582569 \|issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence\|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language\|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.

	SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, ~~allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable~~, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}		SQL injection attacks allow attackers to [[Spoofing attack\|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, allounavailable, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed\|date=March 2025}}

	SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>		SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement\|prepared statements]], [[Stored procedure\|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web \|title=SQL Injection Prevention Cheat Sheet \|url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html \|access-date=10 March 2025 \|website=Open Web Application Security Project (OWASP)}}</ref>