SQL Injection (SQLi) is an attack where the attacker tricks an application into executing unintended database commands by inserting malicious SQL into input fields. The classic example: a login form that constructs SQL by concatenating user input — entering `' OR '1'='1` as username may bypass authentication. SQLi can read entire databases, modify or delete data, and in some cases execute system commands. SQLi has been one of the most damaging vulnerability classes in history (responsible for breaches at Heartland, Sony, Yahoo, TalkTalk, Equifax-related incidents). It remains in OWASP Top 10 (currently A03 Injection) and is the most common vulnerability found in penetration tests of legacy applications.

Three main categories: (1) **In-band SQLi** — most direct; results returned in the same channel as the attack (e.g., on the web page). Sub-types: error-based (extracts info via DB error messages), union-based (UNION SELECT to merge attacker query results), (2) **Blind (Inferential) SQLi** — no results visible, attacker infers from behaviour. Sub-types: boolean-based (different responses for true/false conditions), time-based (DELAY commands reveal info via timing), (3) **Out-of-band SQLi** — results sent through a different channel (DNS lookup, HTTP request); used when no other channel works. Modern SQLi tools (sqlmap) automate detection and exploitation across all categories.

Five high-impact incidents: (1) **Heartland Payment Systems (2008)** — SQLi led to theft of 134 million credit card numbers; one of the largest payment-card breaches in history, $145M in penalties, (2) **Sony Pictures (2011)** — SQLi during 'OurPenis' campaign exposed 77M PSN accounts, $171M cleanup cost, (3) **TalkTalk (2015)** — UK telco breach via SQLi, 157K customers affected, £400K fine plus customer compensation, (4) **MOVEit (2023)** — Cl0p ransomware group exploited SQLi (CVE-2023-34362) in MOVEit Transfer file-transfer software, affected 2700+ organisations including major US government agencies, (5) **Cisco / various supply chain attacks** — ongoing exploitation of legacy enterprise applications. Lesson: even after 25+ years of awareness, SQLi remains common and devastating.

Five layered defences: (1) **Parameterised queries / prepared statements** — the gold standard; user input never mixed with SQL syntax. Available in every modern language (PreparedStatement in Java, parameterized cursor in Python, $1/$2 in Postgres pg, ?-parameters in many ORMs), (2) **Stored procedures with parameters** — similar protection if implemented correctly, (3) **ORMs (Object-Relational Mappers)** — Hibernate, Entity Framework, ActiveRecord, SQLAlchemy use parameterisation by default; safe if used correctly (raw queries are still risky), (4) **Input validation** — defence in depth; reject input that doesn't match expected format (allowlist), (5) **Least-privilege database accounts** — application accounts should have minimum necessary permissions; no DROP, no admin functions. **Avoid**: input sanitisation by escaping (error-prone), 'cleaning up' input (allowlist instead). **WAF as defence in depth, not primary control**.

Detection methods: (1) **SAST (static analysis)** — scans code for unsafe patterns (string concatenation in SQL); Snyk, Checkmarx, SonarQube, GitHub CodeQL flag SQLi-prone code, (2) **DAST (dynamic analysis)** — Burp Suite, OWASP ZAP, Acunetix actively try injection payloads against running app, (3) **IAST** — observes SQL queries during testing, links them to user input flows, (4) **Penetration testing** — manual experts find chained or context-specific issues automation misses, (5) **WAF detection** — Cloudflare, AWS WAF, Imperva detect common SQLi patterns; useful for blocking and as a tripwire, (6) **Database query monitoring** — tools like Imperva Database Activity Monitoring or native query logs detect anomalous query patterns. SAST + DAST + WAF + manual pentest is the standard mature combination.

sqlmap is the standard open-source automated SQLi exploitation tool, used by penetration testers and (unfortunately) attackers worldwide. Capabilities: (1) **Detection** — sends thousands of payloads to identify if a parameter is injectable, (2) **Exploitation** — extracts database schema, dumps tables, decrypts password hashes, (3) **Advanced techniques** — out-of-band exploitation, file system access (read/write files via DB privileges), in extreme cases OS command execution, (4) **Multi-DBMS support** — MySQL, PostgreSQL, Oracle, SQL Server, SQLite, MariaDB, etc. For defenders: (1) sqlmap traffic is detectable by WAF and SIEM; (2) running it against your own apps in CI/CD validates defences; (3) regularly testing with sqlmap exposes legacy vulnerabilities that need refactoring.

SQLi is part of **OWASP Top 10:2021 A03 Injection**, alongside command injection, LDAP injection, XPath injection, NoSQL injection. Modern frameworks have largely solved SQLi *if used correctly*: Rails ActiveRecord, Django ORM, Hibernate, Entity Framework, SQLAlchemy all use parameterisation by default. SQLi in 2026 most commonly appears in: (1) Legacy applications written before ORMs were standard, (2) Applications mixing ORM with raw queries (raw queries skip the protection), (3) Stored procedures concatenating SQL inside, (4) NoSQL injection where developers don't realise NoSQL has its own injection vectors. Continued discipline: always use parameterised queries, treat raw SQL as a code smell requiring review, scan with SAST/DAST in CI/CD, regular pentests.