SQL Injection (SQLi)

What is SQL Injection (SQLi)?

SQL Injection (SQLi) is a critical web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access.

In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

How does SQL Injection work?

Consider a shopping application that displays products in different categories. When the user clicks on the Gifts category, their browser requests the URL: https://insecure-website.com/products?category=Gifts

This causes the application to make an SQL query to retrieve details of the relevant products from the database:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

This SQL query asks the database to return:

• all details (*) from the products table
• where the category is Gifts
• and released is 1

The restriction released = 1 is being used to hide products that are not released. For unreleased products, presumably released = 0. Let's see what happens when the user types '-- into the URL to inject SQL syntax.

https://insecure-website.com/products?category=Gifts'--

The SQL query executed on the database becomes:

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

The double-dash sequence -- represents a comment indicator in SQL, and tells the database planner to ignore the rest of the query. By doing this, the query removes the AND released=1 condition entirely, showing the attacker unreleased products!

Real-World Impact

A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

Detection and Prevention

The most effective way to prevent SQL injection is to clearly separate the data from the SQL statements using Prepared Statements (Parameterized Queries).

Vulnerable Code Example (Node.js)

// AVOID THIS: String concatenation for queries
const category = req.query.category;
const query = `SELECT * FROM products WHERE category = '${category}'`;
db.query(query, (err, result) => { /* ... */ });

Secured Code Example (Node.js)

// DO THIS: Parameterized Queries
const category = req.query.category;
const query = 'SELECT * FROM products WHERE category = ?';
db.query(query, [category], (err, result) => { /* ... */ });

How Precogs AI Stops SQLi

Precogs AI's static analysis engine natively understands SQL dialects and data flow through your application.

1. Autonomous Detection: Precogs flags unsanitized user inputs flowing into raw SQL queries across 14+ languages.
2. AutoFix PR Generation: Instead of just sending an alert, the Precogs AutoFix agent opens a Pull Request that instantly rewrites the raw string concatenation into a secure Prepared Statement, applying the correct parameterization syntax for your specific raw driver or ORM.