Even today, a single poorly written SQL query can allow an attacker to bypass authentication or expose sensitive data.
And the scary part? It often comes down to just one line of code.
In the previous articles, we saw how small implementation decisions can introduce serious vulnerabilities. SQL Injection is one of the clearest examples of this—simple to understand, yet still widely exploited.
What is SQL Injection?
SQL Injection occurs when untrusted user input is included directly in a SQL query.
Instead of being treated as data, the input is interpreted as part of the SQL command itself. This allows attackers to manipulate queries and control how the database behaves.
How SQL Injection Works
Consider a typical login query:
SELECT * FROM users
WHERE username = 'input' AND password = 'input';
The application expects input to be normal user data.
But what if an attacker provides this instead?
' OR 1=1 --
- OR 1=1 → always true
- -- → comments out the rest of the query 👉 The database ends up executing a modified query that ignores authentication checks.
A Simple Login Bypass Example (Java)
Let’s look at how this vulnerability often appears in real code.
❌ Vulnerable Implementation
String username = request.getParameter("username");
String password = request.getParameter("password");
String query = "SELECT * FROM users WHERE username = '"
+ username + "' AND password = '" + password + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);
⚠️ What’s the problem?
- User input is directly concatenated into the SQL query
- No separation between code and data
- The database cannot distinguish between intended query logic and attacker input
💥 Attack Input
username: admin
password: ' OR 1=1 --
💣 Resulting Query
SELECT * FROM users
WHERE username = 'admin' AND password = '' OR 1=1 --'
👉 The condition OR 1=1 is always true, so the query returns results regardless of the password.
Result: Authentication is bypassed.
Real-World Impact
SQL Injection is not just theoretical—it can lead to serious consequences:
- Unauthorized login (authentication bypass)
- Exposure of sensitive data
- Modification or deletion of database records
- Full database compromise
How to Prevent SQL Injection
Preventing SQL Injection is straightforward—but only if done correctly.
✅ 1. Use Prepared Statements (Java)
String query = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement pstmt = connection.prepareStatement(query);
pstmt.setString(1, username);
pstmt.setString(2, password);
ResultSet rs = pstmt.executeQuery();
👉 Why this works:
- Query structure is fixed
- User input is treated strictly as data, not executable SQL
✅ 2. Use ORM Frameworks (JPA / Hibernate)
User user = userRepository.findByUsernameAndPassword(username, password);
👉 ORMs generate parameterized queries internally, which helps reduce the risk of SQL injection when used correctly.
✅ 3. Input Validation (Defense-in-Depth)
Limit input length
Restrict allowed characters
⚠️ Important: Input validation alone is not sufficient to prevent SQL Injection.
Most SQL injection vulnerabilities don’t happen because developers don’t know about them — they happen because of small shortcuts taken under time pressure.
✅ 4. Principle of Least Privilege
Database users should have only the permissions they need
Avoid using admin/root credentials for application access
Common Mistakes to Avoid
- Relying only on input validation
- Manually escaping strings instead of using parameterized queries
- Trusting frontend validation
- Logging raw queries with sensitive data
Final Thoughts
SQL Injection isn’t a complex attack—it’s usually the result of a simple coding mistake.
But its impact can be severe.
As a developer, the takeaway is clear:
👉 Never trust user input
👉 Always separate data from code
Small decisions in how you write queries can determine whether your application is secure—or completely exposed.
Top comments (0)