Input: The attacker locates a form on a website that accepts user input, such as a login form, search bar, or comment section.
Analysis: The attacker tests the input field to see how the application processes the input by entering various characters (e.g., single/double quotes or semicolons).
Input: Once the attacker suspects a potential vulnerability (e.g., the system returns errors revealing query structures), they craft a malicious input. For a login form, this might be ' OR '1'='1
Trigger: The attacker submits this input in the username field, attempting to alter the SQL query executed by the application
Data Processing: The application takes the attacker's input and inserts it into an SQL query without validation or escaping
Manipulation: The injected OR '1'='1' clause makes the condition always TRUE, allowing the attacker to bypass authentication
Output: The server executes the manipulated query. Since the condition always evaluates to TRUE, the database returns all user rows.
Outcome: The application erroneously grants the attacker access, assuming the login was successful.
The attacker now has access to the system as a valid user. Depending on the privileges associated with the returned user account, the attacker can view sensitive data, modify information, or perform other malicious actions.

<?php

$username = $_POST['username'];

$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

$result = mysqli_query($connection, $query);

if(mysqli_num_rows($result) > 0) {

echo "Login successful!";

} else {

echo "Invalid username or password.";

}

Notice that he code directly inserts the username and password variables into the SQL query without validation or sanitization.

An attacker can manipulate the input fields to craft a malicious SQL statement, potentially bypassing authentication or extracting sensitive data.

Attack Example