🧠 How it works
Backend builds query like:
SELECT * FROM users WHERE username = 'input'Attacker inputs:
' OR '1'='1Final query:
SELECT * FROM users WHERE username='' OR '1'='1'👉 Always TRUE → login bypass
⚠️ What attackers can do
- Dump entire database
- Modify data
- Delete tables
- Execute system commands (advanced cases)
🔍 Types of SQL Injection
1. In-band
Data directly shown
2. Blind SQLi
No output → attacker guesses using:
- TRUE/FALSE responses
- Time delays
3. Time-based example
' OR IF(1=1, SLEEP(5), 0) --👉 If response delays → injection confirmed
🛡️ Prevention (MOST IMPORTANT)
✔ Prepared Statements
db.query("SELECT * FROM users WHERE username = ?", [input])👉 Input treated as data, not code
✔ ORM usage
- Sequelize
- Hibernate
- Prisma
✔ Additional protections
- Input validation
- Escape output
- Least privilege DB user
- WAF (secondary layer)
🎯 Key takeaway
👉 Never concatenate user input into queries
👉 Always separate logic and data