Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Glossary · Injection

SQL Injection (SQLi)

An injection flaw where attacker-controlled input is concatenated into a SQL statement, letting the attacker read, modify, or exfiltrate database content.

Explainer

What it is#

happens whenever untrusted input reaches a SQL statement without parameterisation. The attacker supplies values that break out of the intended literal and extend the statement — classic techniques include union-based reads, error-based extraction, boolean blind probes, and time-based blind probes using database-specific delay primitives.

Why it matters#

The database holds the application’s most valuable state. A single in an authentication flow can drop a user table, bypass login entirely, or pivot into file-read primitives on drivers that support them. Historical breaches at the scale of hundreds of millions of records have been at their root cause.

Mitigation direction#

Use parameterised queries everywhere. ORMs help, but raw queries still appear in migrations, reporting, and admin tooling. Add input validation as defence-in-depth, not primary defence. Least-privilege database roles prevent a successful from reaching tables the application should never touch; a webhook-only service should not hold DDL rights.

Related terms

  • Cross-Site Scripting (XSS)

    An injection flaw where attacker-controlled data reaches a browser-side scripting sink, letting the attacker execute script in the victim's session origin.

  • Log4Shell (CVE-2021-44228)

    A remote code execution flaw in Apache Log4j 2.x where JNDI lookups inside logged strings caused servers to fetch and execute attacker classes.

  • XML External Entity (XXE)

    A defect in XML parsers that dereference external entity declarations, letting attackers read local files, trigger SSRF, or exhaust resources.

← Back to the glossary

Site search

↑↓ navigateEnter openEsc close