SQL injection attacks

SQL Injection

SQL injection attacks are attacks against websites that rely on relational databases.

In this type of site, parameters are passed to the database in the form of an SQL query. As such, if the designer does not verify the parameters passed in the SQL query, a hacker can modify the query in order to access the entire database and even to modify its content.

Some characters make it possible to string together several SQL queries or to ignore the rest of the query. By inserting this type of character in the query, a hacker can potentially execute the query of his choice.

Given the following query, waiting for a user name as a parameter:

SELECT * FROM users WHERE name="$name";

A hacker simply needs to enter a name such as "toto" OR 1=1 OR name ="titi" for the query to become as follows:

SELECT * FROM users WHERE name="toto" OR 1=1 OR name ="titi";

With the above query, the WHERE clause is always performed, which means it will return records that correspond to all users.

Stored procedures

Moreover, some database management systems such as Microsoft SQL Server have stored procedures that make it possible to launch administration commands. These stored procedures are potentially dangerous in that they can make it possible for a malicious user to execute system commands that may lead to a possible intrusion.


A number of rules can help you protect yourself against SQL injection attacks:

  • Verify the format of input data and particularly the presence of special characters;
  • Do not display explicit error messages displaying the query or a part of the SQL query;
  • Delete unused user accounts, and particularly default accounts;
  • Avoid accounts without passwords;
  • Keep the privileges of used accounts to a minimum;
  • Delete stored procedures.
Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jean-François Pillou, founder of CCM.net. CCM reaches more than 50 million unique visitors per month and is available in 11 languages.


This document, titled « SQL injection attacks », is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (ccm.net).