The SQL injection attack is not usually as dramatic as other cyber-attacks. In fact, it is generally present in everyday applications that had little or no issues until a user mistakenly abused them.
Example 1: Login Bypass Through Legacy Logic
A company has an internal web portal that is very old; the logic for authentication was created many years ago using technologies that are not very well supported anymore.
Issues with login logic:
1. User input was passed directly into a database query.
2. No use of parameterized queries.
3. The application assumes users can be trusted that are within the internal network.
Impact of login logic issues:
1. Attackers can access the system without a valid account.
2. Attackers can access features that are normally reserved for administrators.
Why this is important: Prior to the expansion of VPN access the application was considered "internal" and not at risk from external attackers, however now the application has moved from being "internal" to possibly being exposed to external threats.
Example 2: Search Feature Leakage of Customer Information
The search feature allows users to search for customers by name or email. Vulnerabilities in this feature were identified as follows:
1. All user search criteria are appending to the SQL statements in real-time.
2. The filtering criteria used to determine what to filter are being dynamically affected based on the user's input.
3. There is no restrictive binding of query parameters.
As a result, attackers were able to access customer records, as data was retrieved without issuing alerts or alarms. The activity of these attackers was indistinguishable from normal search activity; therefore, there were no alarms triggered by atypical behavior to warrant follow-up.
Why is this important? Since the database did not "fail," it merely returned the requested response to the attackers who queried it.
Example 3: API Endpoint Used for Reporting
The Reporting API allowed for multiple parameters to be entered by users which produced summary output.
The following is a description of the issues encountered using the Reporting API.
1. The user-defined parameters controlled, which sections of the SQL Query were used to create the output.
2. The backend system trusted the user's input at face value.
3. An attacker used an exploit to bypass an edge case within the sanitization process.
The overall impact of these vulnerabilities was:
1. Attackers being able to send their SQL Queries to the database.
2. Attackers being able to view financial and operational information.
3. Attackers being able to call the API directly as opposed to through the Web Application.
Why it mattered:
1. It was not a UI vulnerability.
2. It resided completely in the backend logic.
Example 4: admin panel that employed "safe" methods of accessing its database via stored procedures.
Specific issues with the admin panel's implementation of stored procedures are as follows:
1. The stored procedure calls utilized user-supplied data as input.
2. The assumption was made that stored procedures cannot be injected.
3. Dynamic SQL was included within the stored procedures.
Impact:
1. Attackers executed arbitrary queries from within the database.
2. Attackers were elevated through the privileges of the database account.
3. Log files showed “expected procedure calls” made by the attackers.
Why it mattered:
1. Stored procedures by default do not prevent injection attacks.
2. Stored procedures simply move the issue.
Example 4: Admin Panel had access to their database utilizing Stored Procedures:
The system relied on Stored Procedures as a primary means of accessing its database.
The following issues existed:
1. Stored Procedures were invoked with untrusted input
2. Incorrect belief that Stored Procedures are safe by default
3. Use of Dynamic SQL within Stored Procedures
Impact:
1. Arbitrary queries executed inside the database
2. Elevated privileges used by the database account
3. Logs showed “expected procedure calls”
Why it mattered:
1. Stored procedures don’t prevent injection by default.
2. They only move the problem.
Example 5: E Commerce Filters Gone Wrong
An Online store offered Advanced filtering options for Price, Category and Rating.
What went wrong: The filters used dynamic SQL query building. One of the filters had loose data types. There were no enforcement rules for what types of filters were allowed to be created.
Consequences: Attackers were able to create queries that extended the above filters, thereby retrieving product and order data. Because of this vulnerability, attacks went undetected for a minimum of 2 weeks.
Significance of this case: It worked as intended for a long time, then suddenly stopped working with no visible signs to Users.
Common Pattern Across All Examples
In every case:
1. Never any zero day exploits
2. No advanced tools
3. No noisy exploitation
Just:
1. Trusted input
2. Dynamic queries
3. Assumptions made under time pressure
Why These Examples Still Matter
SQL injection isn’t a “beginner mistake.”
It’s a design mistake that survives refactors, migrations, and upgrades.
Once it exists, attackers don’t rush. They explore carefully and blend in.
Arbitrary SQL execution doesn’t come from flashy exploits, it comes from small decisions made when speed mattered more than structure. Databases don’t know intent, they only execute what they’re told.