Iheb Mhamdi

E CT I O N Hamza Argoubi
I N J
SQ L SSIR-C
PLAN

1 DEFINITION 4 HOW TO PREVENT SQL

INJECTION?

I M PAC T O F S Q L
2 INJECTION 5 C O N C LU S I O N

3 HOW TO DETECT SQL

INEJECTION

2
DEFINTION

3
W H AT I S S Q L I N J E C T I O N ?
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries
that an application makes to its database. This can allow an attacker to view data that they are not
normally able to retrieve. This might include data that belongs to other users, or any other data that
the application can access. In many cases, an attacker can modify or delete this data, causing
persistent changes to the application's content or behavior.
In some situations, an attacker can escalate a SQL injection attack to compromise the underlying
server or other back-end infrastructure. It can also enable them to perform denial-of-service attacks.
This diagram illustrates how a
SQL Injection attack occurs:

1️⃣ T h e a t t a c k e r l o c a t e s a
v u l n e r a b l e i n p u t fi e l d ( e . g . ,
login form).

2️⃣ M a l i c i o u s S Q L c o d e i s i n j e c t e d
and executed by the backend
database.

3️⃣ A s a r e s u l t , t h e a t t a c k e r c a n
access, manipulate, or destroy
database content—potentially
gaining administrative access.

The Power of PowerPoint | 5

 impact of a
successful SQL
injection ?

6
 impact of a successful SQL
injection?
A successful SQL injection attack can allow unauthorized access to sensitive data such as
D a t a T h e ft usernames, passwords, email addresses, and financial records. This compromises user privacy
and can lead to identity theft or fraud.

By manipulating SQL queries, attackers can bypass login mechanisms and gain access to
Authentication Bypass restricted areas without valid credentials. This puts internal systems and user accounts at serious
risk.

SQL injection can enable attackers to insert, modify, or delete records in the database. This can
Data Manipulation
result in corrupted data, loss of important information, or even disruption of business operations.

In some cases, attackers can elevate their access rights within the system, moving from a basic
Pr i v i l e g e E s c a l a t i o n user to a database administrator. This gives them full control over the database and its contents.

Advanced SQL injection attacks can lead to full server compromise, allowing attackers to execute
S y s t e m C o m p ro m i s e commands, install malware, or take control of the underlying infrastructure.

7
How to detect SQL
injection
vulnerabilities

8
How to detect SQL injection

Manuel Testing Error message analysis Automated scanning Static analysis

tools Examining the application's
By entering special
If the application returns Tools such as SQLMap, source code helps identify
characters such as ', --, or
detailed error messages Burp Suite, or OWASP insecure SQL query
OR 1=1 into input fields or
like "SQL syntax error" or ZAP can automate the construction. If user input is
URL parameters, testers
"unclosed quotation mark", detection of SQL injection directly concatenated into
can observe how the
it suggests that user input by sending payloads and SQL statements, it’s a red
application responds.
is directly included in SQL analyzing server responses. flag. Static analysis tools
Unexpected behaviors or
queries without proper These tools can confirm the like Bandit (Python) or
database errors may
validation. presence of vulnerabilities Flawfinder (C) can help
9
How to prevent SQL
injection?

10
How to prevent SQL injection

1 U s e Pa r a m e t e r i z e d Q u e r i e s ( Pre p a re d 4 Apply the Principle of Least Privilege

Statements)
The most effective defense against SQL injection. Ensure that the database account used by the application
Prepared statements ensure that user input is treated as has only the necessary permissions (e.g., no DROP or
data, not executable SQL code. Most programming DELETE rights if not needed). This minimizes the impact if
languages (e.g., Python, Java, PHP) support this feature. an injection occurs.

I n p u t Va l i d a t i o n a n d S a n i t i z a t i o n
2 5 Disable Detailed Error Messages in
Production
Always validate user input against expected formats Avoid exposing database error messages to users.
(e.g., numeric fields should not accept letters or special Detailed errors can reveal how queries are structured and
characters). Sanitize inputs by removing or escaping help attackers craft successful injection payloads.
characters that could be used in injection attacks.

3 Use Stored Procedures Safely 6 U s e We b A p p l i c a t i o n Fi r e w a l l s ( WA F s )

Stored procedures can reduce SQL injection risk when WAFs can detect and block common SQL injection
written securely. Ensure they don’t dynamically build SQL patterns in HTTP requests. While not a complete solution,
strings from user input—use parameters within the they provide an additional layer of defense—especially
procedure itself. useful for legacy applications.

The Power of PowerPoint | thepopp.com 11

C O N C LU S I O N

12
CONCLUSION

La vulnérabilité SQL Injection reste l'une des menaces les plus critiques et les plus courantes dans les
applications web. Elle permet à un attaquant de manipuler les requêtes SQL envoyées à la base de
données, compromettant ainsi la confidentialité, l'intégrité et parfois même la disponibilité des
données. Grâce à des techniques de détection efficaces et à l'application de bonnes pratiques de
développement sécurisé — telles que l'utilisation de requêtes préparées, la validation des entrées, et
la limitation des privilèges — il est possible de prévenir efficacement ce type d’attaque. La sécurité
des applications web doit être pensée dès la conception, et continuellement renforcée par des audits
réguliers et une sensibilisation des développeurs.

13
T H A N K YO U F O R
Y O U R AT T E N T I O N