Back to Atlas
SQL Injection (SQLi)
SQL Injection is a code injection technique where an attacker can execute malicious SQL statements that control a web application's database server, potentially accessing or deleting sensitive data.
Attack Simulation
Login Form Input
Backend Database Query
SELECT * FROM users WHERE username = ''' AND password = '...'
Database Result
Waiting for query...
Interactive: Try typing admin' OR '1'='1 into the input or use the "Auto-Fill" button.
How it Works
- InputThe application accepts user input (e.g., username) without proper sanitization.
- InjectThe attacker adds SQL syntax (like
'orOR) into the input field. - ExecuteThe database interprets the input as code, altering the query's logic to return data it shouldn't.
Prevention & Defense
Prepared Statements (Parameterized Queries)Use database features that treat user input as data, not executable code.
Input ValidationEnsure input conforms to expected formats (e.g., only alphanumeric characters for usernames).
Secure Code Challenge
PATCH_THE_VULNERABILITYVulnerable Code
// Vulnerable Node.js Code const query = "SELECT * FROM users WHERE user = '" + username + "'"; db.execute(query);
Identify the security flaw above and select the correct patch to fix it.
Select the Secure Implementation