Davide Cavallini : 15 November 2025 15:55
Good morning everyone. I’m Davide Cavallini, a web developer and penetration tester. Today I’m going to talk about injections. There are various types, but what does it conceptually mean to inject? I’ve thought about it, and I think I have a universal answer.
Let’s take a simple example. We have a request to submit to the municipality to obtain a certificate.
The request form is this:
Il sottoscritto __________________________ richiede il certificato di residenza al comune di Casaccio.Normally, the form should be filled out by writing your name in the space provided.
The name itself, in computer jargon, is defined as a “ parameter ”, as it is precisely a variable parameter that varies the request based on our needs.
By entering the name “ Davide ” as a parameter, we will request Davide’s certificate from the office.
But what if the parameter itself alters the structure of the request?
Let’s try to write the following highlighted sentence in the blank space:
Il sottoscritto Antonio assieme con il sottoscritto Davide richiede il certificato di residenza al comune di CasaccioAt this point, the municipality, receiving this request, and assuming that it has an employee without reasoning skills, as computers (do not) have, would give us two documents, both Antonio’s and Davide’s.
The unfiltered space to be filled in, in this case by the employee, would thus reveal itself as a vulnerability to easy requests that would not be appropriate for us.
The same phrase “ Antonio together with ” would be defined in “computer” language as “ Payload ”.
The same thing can happen in databases, but we’re still in the abstract world. If we had a database that retrieves a user’s addresses from a table based on the id passed as a parameter, the request would look something like this:
PRENDI IL DATO DELL'UTENTE DALLA TABELLA “UTENTI” DOVE L'ID E' UGUALE AL PARAMETRO ID APPENA PASSATOIf the ID parameter was “1”, the data for the user with ID 1 would be extracted from the table.
But what if we changed the id we pass to the request like this?
PRENDI IL DATO DELL'UTENTE DALLA TABELLA “UTENTI” DOVE L'ID E' UGUALE A QUALSIASI IDIn this case, the page could show us the data of all the users contained within the database.
In a real situation, the SQL request could be:
select * from users where id=$_GET['id'];
As long as the $_GET[‘id’] parameter is equal to a number, there is no problem, because the query would be as follows: In the example we will pass: $_GET[‘id’] = 1
SELECT * FROM `users` WHERE id=1;But what if $_GET[‘id’] were equal to id (condition always true)? In that case, we would get back all the user data.
In fact, by writing the query:
SELECT * FROM `users` WHERE id=id;We will get all the users’ results back.
At this point it would seem that we would not be able to obtain any other data from the database apart from the users, but THAT IS NOT THE CASE.
There are other SQL commands that can actually allow us to extract other data, knowing how many fields are extracted from the table on which the original query is made.
A simple way to test how many columns you can extract is to do a “UNION SELECT” trying to insert an ever-increasing number of columns.
Example:
$_GET['id']=1 union select 1 - - $_GET['id']=1 union select 91827364,91827364 - - $_GET['id']=1 union select 91827364,91827364,91827364 - - $_GET['id']=1 union select 91827364,91827364,91827364,91827364 - - $_GET['id']=1 union select 91827364,91827364,91827364,91827364,91827364 - -If the first select (from users) has 5 columns, once you get to this last union select, the number 91827364 will appear somewhere on the page.
At this point we could, for example, replace the number 91827364 with the version() function, and see the database version, or make a subselect to see data from other tables, such as.
1 union select 1,2,3,4,( select password from secret);OR ALSO
1 union select 1,2,3,4,( select concat(username,999, password ) from secret);In more dire cases, the attacker can also truncate the table (delete it entirely), insert and modify data, or create remote shells on the server where they can execute arbitrary code.
Database injections are a very serious problem for companies, and are still very present in websites, or in some vulnerable plugins or themes, but they are not the only type of injection possible.
In fact, there are other types of injection that can allow the execution of remote commands, or the insertion of Javascript or HTML into the page.
Companies should always be very careful when developing a web application.
It’s important to work with competent programmers who validate code with tools like PHPstan, LARAstan, SonarCube, and other static validators, and who have at least a basic understanding of cybersecurity. Therefore, it’s important to understand how cyber attacks occur so you can avoid them.
It is equally important to have applications tested in a “pentesting” environment by someone who deals with professional ethical hacking.
Davide Cavallini