Understanding SQL Injection: Types, Techniques, and Defenses (OWASP Top 10)

OWASP Top 10 lists the most critical web‑application security risks, and the first article in the series introduces injection attacks, especially SQL injection, which occurs when unfiltered user input is executed as SQL code on the database server.

What is injection? It is the execution of malicious data supplied by the attacker because the application fails to filter or sanitize the input.

Common injection categories include SQL injection, command injection, code injection, LDAP injection, XML/XXE injection, JSON injection, and JSONP injection. This article concentrates on the SQL injection process and its mitigation.

SQL injection is described as inserting SQL commands into web‑form fields or query strings to trick the database into executing malicious statements.

Classification by injection point type :

Numeric injection point – e.g., http://xxx.com/index.php?id=1 with a query SELECT * FROM table WHERE id=1 .

String injection point – e.g., http://xxx.com/index.php?name=admin with a query SELECT * FROM table WHERE name='admin' .

Search‑type injection point – e.g., keyword='and [condition] and %' leading to SELECT * FROM table WHERE column LIKE '%[condition]%' .

Classification by submission method :

GET injection – the payload appears in the URL query string.

POST injection – the payload is sent in the request body, often via HTML forms.

HTTP‑header injection – the payload is placed in headers such as User-Agent or Cookie .

Classification by execution effect (five types):

Boolean blind injection – infer true/false by observing page responses; typical functions used are mid() , substr() , left() .

Time‑based blind injection – use sleep(N) or benchmark(count,expr) to cause measurable delays when a condition is true.

Error‑based injection – the database returns error messages that reveal information.

Union‑based injection – leverage UNION to combine attacker‑controlled queries with legitimate ones to extract data.

Stacked (multiple‑statement) injection – execute several statements in a single request.

Examples of blind‑SQL payloads are provided, such as name=-1' AND (SELECT mid(u_name,1,1) FROM member WHERE userid=1)='a' and usage of ASCII() or REGEXP for character checks.

The article concludes with author attribution (city‑north Xu Gong, 360 Network Security Academy) and references to the original source.