Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

SQL Injection

Description

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

Remediation

Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

References

SQL Injection (SQLi) - Acunetix

Types of SQL Injection (SQLi) - Acunetix

Prevent SQL injection vulnerabilities in PHP applications and fix them - Acunetix

SQL Injection - OWASP

Bobby Tables: A guide to preventing SQL injection

SQL Injection Cheet Sheets - Pentestmonkey

Related Vulnerabilities

WordPress Plugin PayPal WP Button Manager SQL Injection (0.1.1)

WordPress Plugin WP Statistics SQL Injection (12.6.6.1)

WordPress Plugin Xllentech English Islamic Calendar SQL Injection (2.6.7)

WordPress Plugin WP Photo Album Plus 'wppa-album' Parameter SQL Injection (4.1.1)

WordPress Plugin Fancy Product Designer-WooCommerce SQL Injection (4.7.4)

Severity

Critical

Classification

CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

SQL Injection