Editing SQL injection (section)

{{Short description|Computer hacking technique}}
{{Use mdy dates|date=February 2012}}
[[File:KD SQLIA Classification 2010.png|thumb|alt=Classification of SQL injection attack vectors in 2010|A classification of SQL injection attacking vector as of 2010]]

In computing, '''SQL injection''' is a [[code injection]] technique used to [[Attack (computing)|attack]] data-driven applications, in which malicious [[SQL]] statements are inserted into an entry field for execution (e.g. to dump the [[database]] contents to the attacker).<ref>{{cite web |title=SQL Injection |author=Microsoft |url=https://technet.microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx |access-date=2013-08-04 |quote=SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQLi Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. |url-status=live |archive-url=https://web.archive.org/web/20130802094425/http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx |archive-date=August 2, 2013 |language=en}}</ref><ref name=sfw2.12018>{{Cite journal |last1=Zhuo |first1=Z. |last2=Cai |first2=T. |last3=Zhang |first3=X. |last4=Lv |first4=F. |date=April 2021 |title=Long short-term memory on abstract syntax tree for SQL injection detection |journal=IET Software |language=en |volume=15 |issue=2 |pages=188–197 |doi=10.1049/sfw2.12018 |doi-access= |s2cid=233582569 |issn=1751-8806}}</ref> SQL injection must exploit a [[security vulnerability]] in an application's software, for example, when user input is either incorrectly filtered for [[string literal]] [[escape sequence|escape characters]] embedded in SQL statements or user input is not [[Strongly-typed programming language|strongly typed]] and unexpectedly executed. SQL injection is mostly known as an [[attack vector]] for websites but can be used to attack any type of SQL database.

SQL injection attacks allow attackers to [[Spoofing attack|spoof]] identity, tamper with existing [[data]], cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented [[NoSQL]] databases can also be affected by this security vulnerability.{{Citation needed|date=March 2025}}

SQL injection remains a widely recognized security risk due to its potential to compromise sensitive data. The [[Open Web Application Security Project]] (OWASP) describes it as a vulnerability that occurs when applications construct database queries using unvalidated user input. Exploiting this flaw, attackers can execute unintended database commands, potentially accessing, modifying, or deleting data. OWASP outlines several mitigation strategies, including [[Prepared statement|prepared statements]], [[Stored procedure|stored procedures]], and [[input validation]], to prevent user input from being misinterpreted as executable SQL code.<ref name=":0">{{Cite web |title=SQL Injection Prevention Cheat Sheet |url=https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html |access-date=10 March 2025 |website=Open Web Application Security Project (OWASP)}}</ref>