Are SQL Injections Still a Thing? (2024)

We often get asked by customers if SQL injections are still a thing. Even though this vulnerability is known for over 20 years, injections still rank number 3 in the OWASP’s Top 10 for web vulnerabilities. In 2022, 1162 vulnerabilities with the type “SQL injections” have been accepted as a CVE. So the answer is: Yes, SQL injections are still a thing. This blog post is intended to give an overview of the existing challenges and solutions of SQL injections, and also to highlight the new possibilities of fuzzing in this context. But let’s start from scratch:

What Is an SQL Injection?

An SQL injection is an attack where the user can insert SQL statements into the input data provided to an application. If this input is not properly sanitized, the application executes attacker-controlled statements on the database, enabling the attacker to steal sensitive information or change the data. The main reason behind injection attacks is the lack of input validation that can lead to arbitrary commands being run on the database.

Why Are SQL Injections Still a Thing?

In today's age, it’s fascinating how frequently even large organizations fail to prevent SQL injections, even though the market is full of commercial and open-source tools claiming to eliminate them. Nevertheless, we have identified the following reasons for the high volume of SQL injections:

  • Developers often lack certain security awareness.
  • There are hardly any automated and efficient testing methods that allow a precise detection of injections (e.g. without false positives).
  • Database access libraries that should provide a safe way for accessing DBs, e.g. by encouraging the usage of prepared statements, can often still be misused while giving the developer a false sense of security.
  • Almost every web application out there uses some form of database in the backend. The quantity of SQL databases alone offers a certain surface for attack.

Are SQL Injections Still a Thing? (1)


How to Detect SQL Injections

But let’s take a closer look at the existing methods for the prevention of SQL injections. In simple terms, there are two approaches (which both have their limitations):

Static Analysis for SQL Injections

SAST, or Static Application Security Testing, analyses the code without actually executing it. These techniques mainly rely on data flow analysis to track how to input data are handled and used by the program. Based on that, taint analysis is performed to check whether the data supplied by the user can reach critical operations of the application without the necessary validation.

For this to work reasonably well, the built-in programming language and framework features need to be modeled precisely. The lack of precision and the fundamental challenge of statically building a precise model of the program leads to imprecise results and a high rate of false positives.

To use these tools effectively, a difficult and time-consuming manual analysis by the developers or security experts must be performed to filter out the false positives and find the actual bugs from the generated reports, so the practical use of static analysis tools is limited.

Dynamic Testing for SQL Injections

DAST, or Dynamic Application Security Testing, is performed by actually executing the application and analyzing it during runtime. Dynamic vulnerability scanners such as OWASP ZAP or SQLmap try to attack the application by sending requests to the various endpoints of a web app and monitoring the responses for hints for potential vulnerabilities.

These hints include things such as specific MySQL error messages. Current dynamic analysis tools have several limitations: First, they treat the application as a black box, so they do not have any insights from the execution to construct requests that can trigger deep bugs in the code. Second, they need external assistance to identify how to reach the various endpoints offered by the application and the structure of the requests that are accepted by each endpoint.

Moreover, they fail to detect vulnerabilities that do not result in corresponding error messages, e.g., if the error is caught by the code an error message is silently discarded. Also, it is hard for those tools to find certain types of SQL injections that do not immediately display results back to the user (so-called "blind SQLi") or "second-order SQLi" where malicious user input is stored on the server and only later processing leads to an SQL injection.

Preventing SQL Injections

Regarding the opening questions: Yes, SQL injections are still one of the most exploited security vulnerabilities and, therefore, still a thing. In order to prevent SQL injections, there are two security testing approaches SAST and DAST. Both methods come with several limitations.

However, there is hope: Recent research has shown that fuzzing can be a particularly effective method for detecting SQL injections. Code Intelligence's platform finds injections with very high reliability and virtually no false positives. You can start using CI Fuzz today for free to find SQL injections in your applications.

Are SQL Injections Still a Thing? (2)

Related Articles

< 1 min read

Start Reading

"; var fillPost = function (element, post) { var link = element.querySelector("a[class*='-post-item']"); var title = element.querySelector("[class*='-item__title']"); var name = element.querySelector("[class*='-item__name']"); var date = element.querySelector("[class*='-item__date']"); var img = element.querySelector("[class*='-item__img']"); var desc = element.querySelector("[class*='-item__desc']"); var summary = element.querySelector("[class*='-item__summary']"); var minRead = element.querySelector("[class*='-item__n-min-read']"); if(link) link.setAttribute("href", post.absoluteUrl); if(title) title.innerText =; if(name) name.innerText = post.blogAuthor.fullName; if(date) date.innerText = formatBlogDate("en",post.publishDateLocalized); if(img) =, 500); if(minRead) minRead.innerText = pwr.hs.format("%s min read", pwr.string.getReadTimeMinutes(pwr.string.removeHtmlTags(post.postBody))) ; var summaryContent = post.postSummary ? post.postSummary: ""; summaryContent = post.metaDescription; summaryContent = pwr.string.removeHtmlTags(summaryContent); summaryContent = pwr.string.removeLineBreaks(summaryContent); summaryContent = summaryContent.trim(); summaryContent=pwr.hs.truncate(summaryContent, 128); if(desc) desc.innerText = summaryContent; if(summary) summary.innerText = summaryContent; }; var buildPosts = function(blog_posts) { var result = ""; blog_post.forEach( post => { var postElement = document.createElement("div"); postElement.innerHTML = template; fillPost(postElement, post); result+= postElement.innerHTML; }); return result; }; var refreshBlog = function() { setTimeout(() => {; pwr.effect.threeD.refreshAll(); }, 50); }; if( document.readyState == 'complete') { refreshBlog(); return buildPosts(blog_post); } else { // Wait till dependencies are loaded var postTargetID = "blog-post-preview-target"; window.addEventListener('load', () => { // fill target element with blog content var postTarget = document.getElementById(postTargetID); if(postTarget) { postTarget.outerHTML = buildPosts(blog_post); } refreshBlog(); }); // return a placeholder return "

"; } }

Are SQL Injections Still a Thing? (2024)


Are SQL Injections Still a Thing? ›

SQL injection is one of the oldest vulnerabilities still present in the OWASP TOP 10 for more than fifteen years. It allows to steal and modify information (sensitive or not), accessible in millions of databases worldwide.

Does SQL injection still work 2024? ›

In 2024, SQL injections are still a thing, as they are one of the most exploited security vulnerabilities. Despite the huge influx of commercial and open-source solutions in the market today, all claiming to alleviate SQL injections, they are still number 3 on the OWASP Top 10 ranking.

How often do SQL injections occur today? ›

According to the Open Web Application Security Project, injection attacks, which include SQL injections, were the third most serious web application security risk in 2021. In the applications they tested, there were 274,000 occurrences of injection.

Does XSS still work? ›

Vulnerabilities allowing XSS have consistently been the #1 or #2 high-risk vulnerability found in all three years of Synopsys testing. Of the high-risk vulnerabilities found in the 2022 tests, 19% were found to be associated with cross-site scripting attacks.

What percentage of attacks are SQL injection? ›

SQL Injection is the main source of web application critical vulnerabilities found globally in 2023, with 23 percent, in addition to 19 percent of internet facing critical vulnerabilities due to cross site scripting (stored) attacks.

Are SQL injections obsolete? ›

In 2023, SQL injections remain some of the most common attacks on the web. In 2022 alone, 1162 SQL injection vulnerabilities were added to the CVE security database. The good news is that SQL injections are not as prevalent as they once were. Most applications have evolved to protect against SQL attacks.

Is SQL injection still a threat? ›

SQL injection is one of the oldest vulnerabilities still present in the OWASP TOP 10 for more than fifteen years. It allows to steal and modify information (sensitive or not), accessible in millions of databases worldwide.

What is a real life example of SQL injection? ›

Target Corporation. In 2013, Target Corporation, a big company in the United States, suffered a data loss due to a SQL injection attack. The attack resulted in the theft of sensitive information, such as credit card numbers and personal data, of over 40 million customers.

Are SQL injections illegal? ›

Yes, using an SQL injection on someone else's website is considered illegal. SQL injections are a type of computer attack in which malicious code is inserted into a database in order to gain access to sensitive information.

What is the most popular SQL injection? ›

In-band SQL injection is the most frequent and commonly used SQL injection attack. The transfer of data used in in-band attacks can either be done through error messages on the web or by using the UNION operator in SQL statements.

Is XSS worse than CSRF? ›

The consequences of XSS vulnerabilities are generally more serious than for CSRF vulnerabilities: CSRF often only applies to a subset of actions that a user is able to perform.

Is testing for XSS illegal? ›

It's important to remember that testing for XSS without the website owner's permission is illegal and can lead to serious legal consequences.

Will using https instead of HTTP stop XSS? ›

HTTPS can prevent a man-in-the-middle attack, not XSS. Unfortunately the session cookie is not secure with this alone, one can request a page with HTTP and then the same cookie will be sent unprotected.

Is SQL injection rare? ›

SQL injection is a code injection technique that might destroy your database. SQL injection is one of the most common web hacking techniques. SQL injection is the placement of malicious code in SQL statements, via web page input.

What is the root cause of SQL injection attacks? ›

The three root causes of SQL injection vulnerabilities are the combining of data and code in dynamic SQL statement, error revealation, and the insufficient input validation.

Who is vulnerable to SQL injection? ›

An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others.

Will SQL be replaced by AI? ›

SQL (Structured Query Language) remains a foundational skill in the data space, especially in managing and querying structured databases. While machine learning (ML) and artificial intelligence (AI) have seen significant advancements, they don't replace SQL but rather complement it in various ways: 1.

Why is SQL injection illegal? ›

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

Why avoid SQL injection? ›

An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more.

Is testing for SQL injection illegal? ›

In the US, SQL injection and other types of “hacking” are illegal under various laws and regulations stemming from the Computer Fraud and Abuse Act and the Patriot Act .

Top Articles
Latest Posts
Article information

Author: Greg O'Connell

Last Updated:

Views: 6162

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.