search

SQL Injection (SQLi)

hashtag
Overview

SQL injection (SQLi) is a vulnerability that allows an attacker to interfere with queries that an application makes to its database. It generally allows an attacker to inject SQL and gain the ability to read, modify and delete data.

For example, consider an application that displays products in different categories. The following URL will return a list of products on the Gifts category:

https://vulnerable-website.local/products?category=Gifts

The application makes the following SQL query to retrieve data from a database:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

The restriction released = 1 is being used to hide products that are not released. If the category variable is directly passed to the SQL query, an attacker can craft the following URL:

https://vulnerable-website.local/products?category=Gifts'--

This results in the SQL query:

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

Since -- is a comment in SQL, an attacker can retrieve all products, whether they are released or not.

You can find more details at PortSwigger Web Security Academy: SQL injectionarrow-up-right.

This page contains recommendations for the implementation of protection against SQL injection (SQLi) attacks.

hashtag
General

  • Do not use string formatting or concatenation to assemble SQL queries.

  • Use prepared statements (or parametrized queries) to assemble SQL queries.

hashtag
Prepared statements

Use a database driver from the following list of available drivers: https://github.com/golang/go/wiki/SQLDriversarrow-up-right.

Example for PostgreSQL

Remember that placeholders are database specific:

MySQL

Placeholder

Example

PostgreSQL

Placeholder

Example

Oracle

Placeholder

Example

hashtag
References

PreviousRegular Expression Denial of Service (ReDoS)NextXML External Entity (XXE) Injection

Last updated