How does a SQL injection attack work?

SQL injection (SQLi) remains a major cybersecurity threat, allowing attackers to manipulate databases, steal sensitive data, and disrupt services at organizations of all sizes, despite being well-documented for many years.

“SQL injection is perhaps the best understood class of vulnerability across security professionals. SQL injection has been around for nearly 30 years and is often highly impactful. An innocent field on a web page can let an attacker extract or modify the entire backing database, or even allow the attacker to run code as the database server,” the UK National Cyber Security Centre (NCSC) wrote in a blog post in December 2025.

It continued: “SQL injection is also conceptually attractive as it's illustrative of a recurring problem in cybersecurity; that is, ‘data’ and ‘instructions’ being handled incorrectly. This allows an attacker to supply ‘data’ that is executed by the system as an instruction. It's the same underlying issue for many other critical vulnerability types that include cross-site scripting and exploitation of buffer overflows.”

While SQLi occurrences have declined, they remain a persistent risk. In 2024, SQL injection accounted for 6.7% of vulnerabilities in open-source projects and 10% in closed-source applications – a 14% and 17% decrease from 2023, respectively, according to Aikido Security, but still a threat.

Even widely used services are vulnerable. In an interview, Troy Hunt, founder of Have I Been Pwned, highlighted a recent breach caused by SQLi in a password reset form, occurring in January 2025.

Hunt says that the landscape has “definitely improved due a combination of factors such as frameworks automatically parameterising queries and the emerging prevalence of easily accessible WAFs like Cloudflare, but we do still see plenty of incidents as a result of SQLi.”

How have SQLi attacks been used?

SQL injection remains a major attack vector for cybercriminals, with recent breaches demonstrating its ability to cause large-scale damage.

In June 2023, attackers exploited an SQLi vulnerability in MOVEit, a managed file transfer software used by businesses and government agencies, leading to the theft of sensitive data from nearly 100 million individuals, affecting banks, health care providers, and educational institutions worldwide. The sheer scale of the attack highlighted how a single SQLi flaw can result in devastating consequences across multiple industries.

To take another example, in mid-2024, a similar vulnerability was discovered in FileCatalyst Workflow, an enterprise file transfer solution, that let authenticated users modify the database through SQL injection during the setup process.

While the vulnerability required user authentication, it demonstrated the dangers of SQLi being exploited internally, either by malicious insiders or attackers who had already gained initial access, and reinforced that SQLi isn’t just an external threat; companies must also secure internal applications to prevent unauthorized database access.

Hunt has seen firsthand how SQLi continues to be exploited. “One of the most recent breaches listed in Have I Been Pwned was caused by SQL injection on a password reset form,” he explains.

He emphasised that preventing SQLi is not just about securing login pages but also protecting any input field that interacts with a database. When asked about common mistakes, Hunt said it was “definitely a lack of parameterisation of untrusted data. Arguably, there should also be better sanitisation on input, but parameterisation heals all mistakes.”

Beyond data breaches, SQLi can manipulate or destroy entire databases, leading to financial loss and operational disruptions. Attackers can modify records, erase critical business data, or even shut down entire systems, causing long-term damage. Despite widespread awareness of SQLi, many companies still fail to prioritize secure coding, relying on outdated security measures that leave them exposed.

How to defend against SQLi attacks

SQLi remains a serious security risk, but organizations can take several steps to mitigate it. Many attacks succeed because of poor coding practices, particularly when developers fail to secure database queries against malicious input.

SQLi vulnerabilities often arise when applications allow unchecked user input to be executed as part of a database command. Addressing this requires secure coding techniques, proactive security testing, and the use of modern security tools.

One of the most effective ways to prevent SQLi is through parameterized queries and prepared statements, which ensure that user input is treated strictly as data rather than executable code. Web application firewalls (WAFs) also play a role in mitigating SQLi attacks by filtering malicious traffic.

While WAFs do not fix the underlying vulnerability, they can be highly effective in blocking real-world exploitation. Hunt emphasises this point, explaining that a WAF that inspects inbound traffic can stop SQLi attacks even if the core issue remains unresolved. “[WAF] doesn’t fix the underlying vulnerability, but it’s very effective at stopping it from being exploited,” he said.

Security testing is another essential defense against SQLi. Regular security audits and penetration testing help organizations identify vulnerabilities before they can be exploited. Asked about what to do, Hunt says companies should “invest in infosec training for software developers and engage professional penetration testers. Paid bug bounties are also a great way of helping the good guys find vulnerabilities before the bad guys do.”

While automated tools can help detect SQLi vulnerabilities, prevention ultimately depends on developers writing secure code.

Are we doing enough?

Despite progress in reducing SQLi vulnerabilities, SQLi remains a persistent threat.

The FBI and CISA have repeatedly warned that organizations must do more to eliminate these flaws, emphasizing that poor security practices continue to expose critical systems. While many modern frameworks provide built-in protections, vulnerabilities still appear due to legacy code, poor developer training, and inconsistent security enforcement.

Hunt acknowledges the improvements made over time but stresses that SQLi is still a real and active risk. “We’ve seen a lot of progress over the last couple of decades,” he says, “but clearly it’s still being exploited, and we need to remain vigilant.”

Many businesses remain vulnerable because they prioritise functionality over security, leaving database protection as an afterthought. Security best practices such as parameterized queries, web application firewalls, and penetration testing are essential, but they require ongoing investment and awareness.

Ultimately, defending against SQLi requires more than just technical fixes: it demands a security-first mindset at every stage of development. Developers, security teams, and business leaders must work together to prioritize secure coding practices, conduct regular security assessments, and stay informed about emerging threats.

As long as SQLi continues to be exploited, businesses cannot afford to become complacent. The tools and knowledge to prevent SQLi exist, but only a proactive and consistent approach will ensure that these vulnerabilities are truly eliminated.