SQL Injection Guide

01 //How SQL Injection Happens

SQL Injection (SQLi) is one of the most dangerous and common vulnerabilities in web applications. It allows attackers to manipulate SQL queries by injecting malicious input. Understanding SQLi means understanding how untrusted input flows into dangerous functions—and how to stop it.

⚠ Real-world impact

SQL injection vulnerabilities have led to major data breaches affecting millions of users, resulting in reputational damage, regulatory fines, and legal consequences. Companies have faced losses in the millions due to a single well-executed SQL injection attack that exposed customer data or financial information.

$ at its core

SQL Injection occurs when: 1) User input is directly inserted into an SQL query. 2) That query is executed by the database without proper sanitization or parameterization.

vulnerable.py

python

1# Vulnerable code
2username = request.GET["username"]
3query = "SELECT * FROM users WHERE username = '%s'" % username
4cursor.execute(query)

If username is admin' --, the final query becomes: SELECT * FROM users WHERE username = 'admin' --'. The attacker logs in without a password.

What part of the code above is the sink? What part is the source?

$ try it: payload sandbox

// pick a query template or write one

// inject malicious input

// resulting query (injected span highlighted)

SELECT * FROM users WHERE username = 'admin' --' AND password = 'user_password'

note: injected span changes the query's structure — auth bypass and arbitrary SQL become possible.

$ ./diagram --sqli-attack-flow

Attacker

admin' --

→

Vulnerable Site

direct SQL execution

→

Database

unintended data access

Data Disclosure

PII, credentials, business data leaked

Unauthorized Access

Data Corruption

tables dropped, rows tampered

02 //What are Sinks?

A sink is any function or method that executes a query using data. If that data is attacker-controlled, the sink becomes dangerous.

Common SQL Injection Sinks

Language	Sink Function(s)
Python (psycopg2, MySQLdb)	cursor.execute, cursor.executemany
PHP (PDO, MySQLi)	$pdo->query, $pdo->exec, mysqli_query
Java (JDBC)	Statement.executeQuery, Statement.executeUpdate
Node.js (mysql, pg)	connection.query, pool.query
Ruby (ActiveRecord)	find_by_sql, where with interpolation
C# (ADO.NET)	SqlCommand.ExecuteReader, .ExecuteNonQuery

Match the SQL Injection Sinks to Their Languages

Drag each SQL sink function to its corresponding programming language category

Python

PHP

Node.js

Java

Ruby

Available Sinks

cursor.execute(query)

mysqli_query($conn, $query)

connection.query(query)

Statement.executeQuery(query)

SqlCommand.ExecuteReader(query)

find_by_sql(query)

Learn the patterns,
then go find them.

01 //How SQL Injection Happens

02 //What are Sinks?

Common SQL Injection Sinks

Match the SQL Injection Sinks to Their Languages

Available Sinks

Blurred Premium Content

More Value Behind This Gate

Premium Content

Learn the patterns,then go find them.

01 //How SQL Injection Happens

02 //What are Sinks?

Common SQL Injection Sinks

Match the SQL Injection Sinks to Their Languages

Available Sinks

Blurred Premium Content

More Value Behind This Gate

Premium Content

Learn the patterns,
then go find them.