Skip to Content
Vulnerabilities and Security Testing

What is SQL injection?

SQL injection is an attack in which the criminal inserts database commands inside an ordinary field of the site (a login, a search, an address) that the application forwards to the database without checking. That tricks the system into revealing, changing, or deleting data it should never expose. It is one of the oldest and most destructive web attacks, because a single poorly protected field can hand over the entire customer database.

Zamak TechnologiesUpdated on July 12, 2026

How SQL injection works

The application talks to the database through questions (queries). Injection happens when what the user types is mixed into that question without handling: the attacker's text stops being data and gets read as a command. It is the difference between filling out a form and rewriting the question the system asks the database.

1

Find the right input

The attacker looks for a field that reaches the database: a login form, a search box, a parameter in the page address. Any input that becomes part of a query works as a door.

2

Test the flaw

They type an unusual character, like a single quote, to see if the page breaks or behaves strangely. A database error on the screen is the sign that the input is not being handled.

3

Inject the command

With the flaw confirmed, they insert a snippet of SQL. A classic is adding an always-true condition to skip the password check, or appending a query that pulls other tables.

4

Harvest or destroy

With the command accepted, the database obeys: it copies the whole customer base, changes records, creates an administrator account, or deletes data. A form has become a back door into the database.

Source: OWASP (category A03:2021, Injection).

Where SQL injection gets in

  • Login and sign-up forms, where what is typed becomes part of a query.
  • Search boxes and filters, which build questions to the database from the user's text.
  • Parameters in the page address (the part after the question mark in the URL).
  • Contact forms, comments and any field that saves or queries data.
  • Integration interfaces (APIs) and headers, which also reach the database behind the scenes.

The types of SQL injection

  • Classic (in-band) injection The result comes back on the page itself: the database returns the requested data or an error message that reveals its structure. It is the most direct form and the easiest to exploit.
  • Blind injection The site shows no data and no errors, but it responds differently to true and false commands, or takes longer to answer. The attacker deduces the information question by question, slower and just as dangerous.
  • Out-of-band injection When a direct return is not possible, the command makes the database send the data through another channel, such as a network request to the attacker's server. It is rarer and depends on how the environment is set up.

What is at stake for the business

#3
injection is the third largest risk category in the OWASP Top 10 (2021), on the list for more than two decades
19%
was the maximum incidence of injection among the applications tested for the OWASP Top 10 2021
$ 4.44M
average global cost of a data breach (IBM, 2025)

SQL injection matters because its target is the vault: the database where customers, orders, passwords and financial information live. A successful exploit does not leak one file, it leaks the whole base, and with it comes regulatory exposure (LGPD in Brazil, GDPR in Europe, among others), lost trust and the average US$ 4.44 million cost per breach worldwide (IBM, 2025). The most uncomfortable part is the age of the problem: injection is the third largest risk category in the OWASP Top 10 and has been on the list for more than twenty years, still dangerous because a single forgotten field is enough to open the vault. It is not an exotic frontier threat; it is a known flaw that persists through careless code.

How to protect against SQL injection

SQL injection is not fought with suspicion of the user, but with code discipline. The good news is that the core defense is well known and definitive:

  1. Use parameterized queriesThis is the root fix. A parameterized query separates the command from the data: what the user types is always treated as text, never as part of the instruction. That way, there is no path for text to become a command.
  2. Validate and handle every inputNever trust what comes from outside. Check the format, length and type of each field, and reject anything that strays from what is expected. It is the second layer, complementing parameterized queries.
  3. Apply least privilege on the databaseThe account the application uses to talk to the database does not need to read everything or delete anything. Limiting what it can do reduces the damage even if the injection gets through.
  4. Add a web application firewall (WAF)The WAF filters the application's traffic and blocks known injection patterns before they reach the database. It is an extra layer, not a substitute for fixing the code.
  5. Test continuouslyAutomated scanning and penetration testing find these forgotten fields before the attacker does. Injection leaves the environment when it is looked for on purpose, not when you wait for the incident.

In practice

A single search field, left unhandled, can hand over the entire customer database. It is not the number of forms that protects the company; it is the care taken with each one. That is why the defense against SQL injection lives in the code and the testing, not in asking the user to behave.

How Zamak handles SQL injection

Zamak Technologies treats SQL injection as what it is, a code flaw to be prevented and tested, and works alongside your development team, not in its place: it tests applications for these flaws, points to the fix at the source (parameterized queries, input validation, least privilege on the database) and reinforces the environment with a web application firewall layer. Instead of discovering the flaw through a leak, your company finds and closes it first. It is part of managed Cybersecurity in the Zamak Method, and a good starting point is the cybersecurity diagnostic.

Frequently asked questions about SQL injection

What is SQL injection, in one sentence?
It is an attack in which the criminal inserts database commands inside an ordinary field of the site that does not handle the input, tricking the system into revealing, changing, or deleting data that should be protected.
What is the difference between SQL injection and XSS?
Both are injection flaws, but they aim at different targets. SQL injection attacks the company's database, to steal or change data. XSS attacks the browser of the site's visitor, to steal their session or information. One strikes the vault; the other, the customer.
How do I know if my site is vulnerable to SQL injection?
The right way is to test on purpose: an automated security scan and a penetration test check every field that reaches the database. Trusting that “it never happened” is not a diagnosis; the flaw tends to stay silent until it is exploited.
Why does SQL injection still exist after so many years?
Because the fix depends on discipline in every field of the code, and a single lapse reopens the door. The defensive technique is known and definitive (parameterized queries), but it has to be applied everywhere, all the time.
Does a small company need to worry about SQL injection?
Yes. Attackers use tools that sweep the internet for any site with a vulnerable field, without choosing by size. A brochure site or a simple store with a poorly protected form is already a target.