Back to course

Introduction to SQL Injection

Cyber Security Mastery: From Zero to Hero

A Deeper Look at SQLi

SQL Injection (SQLi) remains one of the most severe and common web application attacks. It targets the application tier's interaction with the data tier.

Blind SQL Injection

Sometimes, the server does not display a database error (a normal SQLi indicator). This is called Blind SQLi.

  • Method: The attacker infers information by sending queries that change the server's response in a tiny, measurable way (e.g., a 1-second delay, or a slightly different page layout).
  • Tools: Tools like sqlmap (Kali tool) automate blind SQL injection, making it practical despite the slow, byte-by-byte recovery process.

Defense: Parameterized Queries

The only reliable defense against SQLi is to use Parameterized Queries (or Prepared Statements).

  • The SQL structure is sent to the database before the user input.
  • The database treats the user input as pure data, not executable code, preventing the malicious syntax from running.