Skip to main content

Types of SQL Injection

There are several types of SQL injection attacks, which can be categorized based on how the attack is performed and how the results are retrieved.

Logic SQL Injection

Logic SQL Injection exploits the logical structure of an SQL query to alter its intended behavior. This is most commonly used to bypass authentication mechanisms by forcing a WHERE clause to evaluate to true, such as by injecting ' OR '1'='1.

Union-based SQL Injection

Union-based SQL Injection uses the UNION operator to combine the results of the original query with the results of an injected query. This technique allows attackers to extract data from other tables within the database and have it returned in the application's response.

Error-based SQL Injection

Error-based SQL Injection relies on intentionally triggering database errors. By analyzing the detailed error messages returned by the database, an attacker can gather valuable information about the database structure, version, and even its contents.

Blind SQL Injection

Blind SQL Injection occurs when an application is vulnerable to SQL injection, but its HTTP responses do not directly contain the results of the injected query or any database error messages. Attackers must extract data indirectly by asking the database true/false questions.

Boolean-based Blind SQL Injection

Boolean-based Blind SQL Injection is a form of blind injection that relies on injecting a query that forces the application to return a different response depending on whether the query evaluates to TRUE or FALSE. By observing the differences in the page content, the attacker can infer data bit by bit.

Time-based Blind SQL Injection

Time-based Blind SQL Injection is a form of blind injection that relies on injecting a query that forces the application to return a different response depending on whether the query evaluates to TRUE or FALSE. By observing the differences in the page content, the attacker can infer data bit by bit.

Out-of-band SQL Injection

Out-of-band SQL Injection is a rare but critical technique used when the attacker cannot use the same channel to both launch the attack and gather the results (e.g., due to blind injection being too slow or blocked). It relies on forcing the database server to make an external network request, such as a DNS lookup or HTTP request, to deliver the extracted data to a server controlled by the attacker.