Query injection is a broad category of vulnerabilities that occurs when user-supplied input is embedded into query language statements without proper sanitization or parameterization. The most well-known variant is SQL injection, but the concept extends to any query language including LDAP, NoSQL, GraphQL, XPath, and ORM query builders. When exploited, query injection can allow attackers to read, modify, or delete data, bypass authentication, and in some cases execute system commands.
How It Works
Applications frequently construct queries by concatenating user input directly into query strings. When a login form builds a query like SELECT * FROM users WHERE username = ' + userInput + ', an attacker can input admin' OR '1'='1 to modify the query logic and bypass authentication entirely. The database interprets the injected SQL as part of the query rather than as data, fundamentally changing what the query does.
NoSQL databases are not immune. MongoDB queries constructed from JSON input can be manipulated using operators like $gt, $ne, or $regex. An attacker submitting {"username": "admin", "password": {"$ne": ""}} can bypass password checks because the query matches any document where the password is not empty. LDAP injection follows similar patterns, with attackers injecting filter operators to manipulate directory queries.
Effective prevention relies on parameterized queries or prepared statements, which separate the query structure from the data values. The database engine treats parameters as literal values rather than executable query syntax, making injection structurally impossible regardless of what the input contains. Input validation provides an additional layer but should never be the sole defense, as query languages offer numerous encoding and syntax variations that can bypass filters.
Why It Matters
Query injection remains one of the most dangerous vulnerability classes because it provides direct access to backend data stores. A single injectable parameter can expose an entire database, including credentials, personal information, and business-critical data. Security assessments prioritize testing every input that interacts with a query language, as even one unparameterized query can undermine an otherwise well-secured application.
Need your application tested? Get in touch.