SQL injection has been around since the late 1990s. It's been used to steal millions of credit card numbers, expose private health records, drain bank accounts, and bring down major corporations. It consistently ranks among the top web application vulnerabilities in the world. And most business owners have never heard of it.
Here's what it is, in plain language.
First, What Is a Database?
Most websites that do anything useful — take orders, store customer records, manage memberships, run a blog — use a database behind the scenes. When you log in to a website, it checks your username and password against a database. When you place an order, your order details get written to a database. The database is where the real information lives.
Websites communicate with databases using a language called SQL (pronounced "sequel"). A typical instruction might be: "Find the user whose username is 'john' and whose password matches this one."
What SQL Injection Does
SQL injection is an attack where someone inserts their own database commands into a field that's supposed to accept ordinary input — a login form, a search box, a URL, a contact form.
Here's a simplified example. A login form takes a username and looks it up in the database. The query might look like:
Find the user where username = [whatever was typed]
If the developer didn't write this carefully, an attacker can type something like ' OR '1'='1 as the username. The database receives a command that now reads: Find the user where username = '' OR 1=1 — which is always true. The login succeeds without a valid password. The attacker is in.
More sophisticated injections can do far more damage: dumping the entire contents of a database, deleting records, creating new admin accounts, or reading files from the server.
What Gets Stolen
When SQL injection is used against a database, what gets exposed depends on what's in it. Common targets include:
- Customer names, email addresses, and phone numbers
- Passwords — even hashed ones can often be cracked
- Payment information
- Order history and purchase records
- Private messages
- Employee records
- Business financial data
A single successful SQL injection attack can expose every record in your database in seconds.
Is This Still a Real Threat?
Yes. Despite being one of the most well-documented vulnerabilities in existence, SQL injection remains in the OWASP Top 10 — the authoritative list of the most critical web application security risks. It keeps appearing because developers keep making the same mistakes, often under time pressure or without adequate security training.
How It's Prevented
The fix is well understood: use parameterized queries (also called prepared statements), which separate the SQL command from the user input so that input can never be interpreted as a command. Validate and sanitize every piece of data that comes from outside the application. Never trust user input.
This is standard practice for developers who take security seriously. It is absolutely not standard across the web as a whole.
If your website collects any data from users — login credentials, form submissions, orders, anything — the code that handles that data needs to be written correctly. If it wasn't, you may be exposed without knowing it.
We write code that handles real threats like this by default. Get in touch if you'd like us to take a look at your site.