Red Hot Cyber

Cyber security, cybercrime, hack news, and more

Unveiling the Dark Secrets of Sql Injection Attacks – Learn How to Protect Your Data!

Davide Cavallini : 26 July 2023 23:27

Good morning everyone. I am Davide Cavallini, a Senior Laravel Developer and Penetration Tester.

Today, I will talk to you about injections. There are various types, but what does it conceptually mean to perform an injection?

After some thought, I believe I have a “universal” answer.

Explaining Injections Simply

Let’s take a simple example. We have a request to make to the county’s office, to obtain a certificate.

The request form is as follows:

The undersigned __________________________ requests the certificate of residence from the office of “Random County”.

Normally, the form should be filled out by writing our “name” in the appropriate space.

In computer terms, the “name” is defined as a “parameter”, as it is indeed a variable parameter that varies the request based on our needs.

By inserting the parameter “Davide”, we will request the certificate of Davide to the office.

But what if the parameter itself were to alter the structure of the request?

Let’s try to write the following highlighted sentence in the empty space:

The undersigned Antonio, together with the undersigned Davide requests the certificate of residence from the office of “Random County”.

At this point, the county’s office, receiving this request and assuming it has an employee without reasoning ability, just like computers do not have, would deliver us two documents, both that of Antonio and Davide.

The unfiltered fill-in space, in this case by the employee, would thus reveal a vulnerability to easy requests that we would not be entitled to.

The same phrase “Antonio together with” would be defined in “computer” language as a “Payload”.

Looking It From a Database Perspective

The same thing can happen in databases, but let’s stay in the abstract world for now. If we had a database that fetches the addresses of a user in a table, based on the id, passed as a parameter, the request would be of this type:


If the ID parameter was “1”, the data of the user with ID 1 would be extracted from the table.

But what if we modified the id that we pass to the request in this way?


In this case, the page might show us the data of all the users contained within the database.

In a real situation, the Sql request could be:

SELECT * FROM users where id=$_GET[‘id’];

As long as the $_GET[‘id’] parameter is equal to a number, there is no problem, because the query would be the following: In the example we will pass: $_GET[‘id’] = 1

SELECT * FROM users WHERE id=1;

But what if $_GET[‘id’] was equal to id (always true condition)? In this case we would get back all the user data

In fact, writing the query:

SELECT * FROM users WHERE id=id;

we would get back all the user results.

Apart from the Users…

At this point it would seem that apart from the users we could not get other data from the database, but THAT’S NOT THE CASE.

There are other SQL commands that can allow us to extract other data, knowing how many fields are extracted from the table on which the original query is made.

A simple way to verify how many columns can be extracted is to do a “UNION SELECT” by trying to insert an increasing number of columns.


$_GET[‘id’]=1 union select 1 – –

$_GET[‘id’]=1 union select 91827364,91827364 – –

$_GET[‘id’]=1 union select 91827364,91827364,91827364 – –

$_GET[‘id’]=1 union select 91827364,91827364,91827364,91827364 – –

$_GET[‘id’]=1 union select 91827364,91827364,91827364,91827364,91827364 – –

In the case the first select (from users) had 5 columns, once we get to this last union select, the number 91827364 will appear somewhere on the page.

At this point we could, for example, replace the number 91827364 with the version() function, and see the database version, or make a subselect to see data from other tables, such as:

1 union select 1,2,3,4,(select password from secret);


1 union select 1,2,3,4,(select concat(username,999,password) from secret);

In the worst cases, the hacker can even truncate the table (delete it all), insert and modify data or create remote shells in the server, where to execute arbitrary code.


Database injections are a very serious problem for companies, and are still very present in websites, or in general software, which do not properly filter user inputs.

The impact of successful injection attacks can range from data breaches, data loss, to complete system compromise, depending on the nature and security level of the database and the system that houses it.

To prevent this, the best practice is to employ robust input validation and sanitization, use parameterized queries, and adopt the principle of least privilege when assigning user roles in a database system. This means users should only be given the minimum levels of access necessary to complete their tasks.

Security should be a top priority in the development phase, not an afterthought. A solid knowledge of how injection attacks work and how to prevent them is absolutely essential for developers and system administrators to maintain the security and integrity of their systems.

3 Example Tools for Detecting SQL Injections

There are several tools available that can help detect and prevent SQL injection attacks. Some of the popular ones include:

  1. SQLmap: SQLmap is a powerful open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities. It supports various databases such as MySQL, Oracle, PostgreSQL, and Microsoft SQL Server.


  1. JavaScream: JavaScream is a tool developed by Red Hot Cyber that is designed to help ethical hackers find vulnerable points in a webpage’s JavaScript, including some types of SQL injections.


  1. Havij: Havij is a popular automated SQL injection tool that helps identify and exploit SQL injection vulnerabilities in web applications. It supports various databases such as MySQL, Oracle, and Microsoft SQL Server.


By using these tools, developers and system administrators can proactively detect and prevent SQL injection attacks before they can cause any damage to their systems. However, it is important to note that these tools should not be used to attack or exploit vulnerable systems without prior authorization.

Further Reading

If you’re interested in learning more about how to prevent SQL injection and other types of injection attacks, here are some resources:

Remember, understanding the threats and vulnerabilities that exist in the digital world is the first step in defending against them. Stay safe, keep learning, and let’s build a more secure web together.”

Davide Cavallini
Davide Cavallini is an expert senior developer specialized in Laravel and JavaScript, with significant experience as a penetration tester. His career is marked by a commitment to teaching and sharing his knowledge, contributing to the training of new professionals in software development and cybersecurity. His passion for technology drives him to stay up-to-date and explore new frontiers in computing.