The latest articles on DEV Community by Moses Ikechukwu (@moses_ikechukwu_20d1ebe40). https://dev.to/moses_ikechukwu_20d1ebe40 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2896811%2F1556eb51-9289-4518-b5b1-0c639a9d6e1d.png https://dev.to/moses_ikechukwu_20d1ebe40 en Moses Ikechukwu Mon, 24 Feb 2025 17:25:57 +0000 https://dev.to/moses_ikechukwu_20d1ebe40/sql-injection-514k https://dev.to/moses_ikechukwu_20d1ebe40/sql-injection-514k <p><strong>What is SQL Injection?</strong></p> <p>SQL Injection (SQLi) is a web security vulnerability that allows attackers to manipulate a website’s database by injecting malicious SQL code into input fields. It can lead to unauthorized access, data theft, modification, or even complete deletion of a database.</p> <p><strong>How SQL Injection Works</strong></p> <p>When a web application improperly handles user input, an attacker can insert SQL commands into a query. For example, consider this vulnerable PHP code:</p> <p>$username = $_POST['username'];<br> $password = $_POST['password'];<br> $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";<br> $result = mysqli_query($conn, $query);</p> <p>If an attacker enters admin' -- as the username, the query becomes:</p> <p>SELECT * FROM users WHERE username = 'admin' --' AND password = ''</p> <p>The -- comment operator ignores the rest of the statement, bypassing authentication.</p> <p><strong>Consequences of SQL Injection</strong></p> <p><em>Unauthorized Access</em> – Attackers can log in as admin without credentials.</p> <p><em>Data Theft</em> – Sensitive user information, including passwords, can be exposed.</p> <p><em>Data Manipulation</em> – Hackers can modify or delete database records.</p> <p><em>System Compromise</em> – In severe cases, an attacker can gain full control of the server.</p> <p><strong>Preventing SQL Injection</strong></p> <ol> <li>Use Prepared Statements and Parameterized Queries:</li> </ol> <p>$stmt = $conn-&gt;prepare("SELECT * FROM users WHERE username = ? AND password = ?");<br> $stmt-&gt;bind_param("ss", $username, $password);<br> $stmt-&gt;execute();</p> <ol> <li><p>Sanitize User Input – Use htmlspecialchars() to prevent special character interpretation.</p></li> <li><p>Use Least Privilege Principle – Restrict database user permissions.</p></li> <li><p>Employ Web Application Firewalls (WAF) – Detect and block SQL injection attempts.</p></li> </ol> <p><strong>Conclusion</strong></p> <p>SQL Injection is one of the most dangerous web vulnerabilities but can be prevented with secure coding practices. By using parameterized queries, input validation, and proper access control, developers can protect applications from SQLi attacks.</p> php sql sqlinjection security