SQL injection

[1][2] SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.

However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended.

[10] One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen.

If the original review loads with the "1=1" URL and a blank or error page is returned from the "1=2" URL, and the returned page has not been created to alert the user the input is invalid, or in other words, has been caught by an input test script, the site is likely vulnerable to an SQL injection attack as the query will likely have passed through successfully in both cases.

The hacker can continue to use code within query strings to achieve their goal directly, or to glean more information from the server in hopes of discovering another avenue of attack.

Then, when another part of that application would use that data in a query that isn't protected from SQL injection, this malicious statement might get executed.

Automated web application security scanners would not easily detect this type of SQL injection and may need to be manually instructed where to check for evidence that it is being attempted.

In order to protect from this kind of attack, all SQL processing must be uniformly secure, despite the data source.

After an apparent SQL injection attack on TalkTalk in 2015, the BBC reported that security experts were stunned that such a large company would be vulnerable to it.

[14] Techniques like pattern matching, software testing, and grammar analysis are some common ways to mitigate these attacks.

Object–relational mapping (ORM) frameworks such as Hibernate and ActiveRecord provide an object-oriented interface for queries over a relational database.

Most, if not all, ORMs, automatically handle the escaping needed to prevent SQL injection attacks, as a part of the framework's query API.

However, many ORMs provide the ability to bypass their mapping facilities and emit raw SQL statements; improper use of this functionality can introduce the possibility for an injection attack.

[20] Integer, float, or Boolean string parameters can be checked to determine if their value is a valid representation of the given type.

Classification of SQL injection attack vectors in 2010
A classification of SQL injection attacking vector as of 2010
vectorial version
vectorial version