SQL injection is a code injection technique that exploits vulnerabilities in the database layer of an application. This occurs when user input is incorrectly filtered and directly included in SQL queries.
This form demonstrates a login page vulnerable to SQL injection attacks.
Try these payloads in the login form above:
admin' -- (Password can be anything)' OR '1'='1' -- (Password can be anything)admin' OR '1'='1 (Password can be anything)' UNION SELECT 1, username, password, email FROM users --' UNION SELECT 1, table_name, table_schema, 4 FROM information_schema.tables --' UNION SELECT 1, version(), 3, 4 --Always use parameterized queries to ensure that user input is treated as data, not executable code.
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, $password]);
ORMs like Doctrine, Eloquent, or Hibernate provide an additional layer of protection.
Validate and sanitize all user inputs using appropriate methods:
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
Use database accounts with minimal privileges required for the application to function.
WAFs can detect and block common SQL injection patterns.
Don't expose detailed error messages to users, as they can reveal database structure.