SQL Injection Explained | AP Cybersecurity

AP Cybersecurity Topics › SQL Injection
Unit 5 • Topic 5.1 • Application and Data Vulnerabilities

SQL Injection Explained: How It Works and How to Prevent It

A SQL injection attack inserts malicious database commands through an application's input fields, tricking the app into running them. It happens when an app uses unvalidated user input to build a database query.

Contents

  1. How SQL injection works
  2. What SQL injection can do
  3. Preventing and detecting it
  4. Real-world example
  5. Key terms
  6. Match it up
  7. Check for Understanding
  8. FAQ
Targetthe database via input
Breaksconfidentiality or integrity
Fixinput sanitization
Malicious inputUnsanitized queryDatabase runs itData exposed
Unsanitized input lets attacker text become a database command.

How SQL injection works

Applications build database queries that often include user input. If that input is not checked, an attacker can type characters that change the query itself. SQL (Structured Query Language) is the language used to read and modify databases, so altering the query gives the attacker control over the data.

The classic move adds a condition that is always true to bypass a login.

Worked example: bypassing a login
The app builds: SELECT * FROM users WHERE name='[input]' AND pass='[input]'
The attacker types into the password field: ' OR '1'='1' --
The query becomes: ...WHERE name='admin' AND pass='' OR '1'='1' --'
'1'='1' is always true, so the check passes. The -- comments out the rest of the query.
Scenario

A bank's login form is breached when an attacker submits input containing ' OR '1'='1';-- . What attack is this?

Reveal answer

SQL injection. The attacker's input altered the database query so the authentication check evaluated as always true, exploiting input that was fed directly into the query.

Exam tip

SQL injection targets the database through input fields. The always-true condition and the -- comment are the giveaways.

What SQL injection can do

An SQL injection attack can cause a breach of confidentiality by making the application return more data than it should (dumping records), or a breach of integrity by modifying or deleting data in the database. The same flaw can expose data and corrupt it.

The root cause is always the same: the application trusts user input and lets it become part of a command instead of treating it as plain data.

Scenario

Two apps take the same input, but only one is exploited by SQL injection. What likely differs?

Reveal answer

Input sanitization. The safe app validates and cleans input so it cannot change the query structure, while the vulnerable app passes the input straight into the database command.

Preventing and detecting it

The defense is input sanitization: validate and clean user input so it is treated strictly as data and cannot alter a query. Building applications to be secure by design, treating all input as untrusted, closes the vulnerability at the source.

When sanitization fails, SQL injection attempts can still be spotted in application and server logs by their signatures.

Detection signature in logs What it looks like
Quote characters A single or double quote inside an input field
Always-true condition OR 1=1
SQL comment A double dash --
SQL control words WHERE, IN, FROM (usually capitalized)
Exam tip

SQL injection, XSS, and directory traversal all share one root cause (trusting unchecked input) and one core fix (input sanitization).

Real-world example

A long-standing top web risk

SQL injection has ranked among the most damaging web application flaws for years because so many apps build queries from user input without sanitizing it. The fix has been known just as long.

Sanitize input; treat it as data, not commands.

Key Terms

SQL injection Inserting malicious commands through input to alter a query.
Query A command an application sends to a database.
Input sanitization Cleaning input so it cannot change a query.
Directory traversal A related attack abusing unchecked input to reach files.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.
Term
Definition
All matched. Nice work.

Common Mistakes

!

Thinking SQL injection targets the network

It targets the database through the application's input fields.

!

Blaming the database engine

The flaw is unvalidated input in the application, not the database itself.

!

Assuming only logins are at risk

Any input that reaches a query, search boxes, forms, URLs, can be a vector.

!

Forgetting the shared root cause

SQL injection, XSS, and directory traversal all exploit trusting unchecked input.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.
Question 1 Predict first
An attacker submits ' OR '1'='1';-- into a login form and gains access. Which attack is this?
B. The always-true condition and SQL comment injected through input are signatures of SQL injection.
Question 2
A SQL injection attack can breach which security goals? I. Confidentiality. II. Integrity. III. Physical safety.
A. It can leak data (confidentiality) and modify or delete it (integrity). Physical safety is unrelated, so III is false.
Question 3 Predict first
Which control most directly prevents SQL injection?
B. Sanitizing and validating input ensures it is treated as data, not as part of a database command.
Question 4
The root cause of SQL injection is that the application:
D. The flaw is letting unchecked user input become part of the database command.
Question 5
Reviewing logs, which entry most suggests an attempted SQL injection?
C. OR 1=1 and the -- comment are classic SQL injection signatures.
Question 6
SQL injection primarily targets:
A. It targets the database by injecting commands through the application's input fields.

Frequently Asked Questions

An attack that inserts malicious database commands through an application's input fields. If the app uses that input to build a query without sanitizing it, the attacker can read, change, or delete data.
Input sanitization: validate and clean user input so it is treated as data and cannot alter a query. Designing applications to distrust all input closes the vulnerability.
It injects an always-true condition into the query so a check such as a login passes regardless of the real credentials, and a trailing -- comments out the rest of the query.
By scanning application and server logs for signatures: quote characters in input, the always-true OR 1=1, the -- comment, and capitalized SQL control words like WHERE, IN, and FROM.
← PreviousDetecting Device Attacks
Keep studying
All TopicsUnit 5 Study GuidePractice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]