Injection Attacks: From SQL to AI Prompt Injection

ByNeil Richardson

Injection attacks remain one of the biggest cyber threats.

They take advantage of input fields and data-processing tools to break into systems, steal data, or interrupt their normal functioning.

But how does that actually happen?

First, let’s define two things: 

Data: Something that is intended to be ‘read’.
Code: Something that is intended to be ‘run’ (a command).

Injection attacks occur when a hacker ‘tricks’ the computer into reading data as code.

For example, think of a website login screen. When you enter a username and password into the form, you use two input fields: ‘Username’ and ‘Password’

In this scenario, a hacker would execute an injection attack by typing something in the input fields that your web server reads as code, and executes.

If that code says ‘let me log in without a password’ or ‘give me a list of all user names and passwords’, then you’re in trouble. (This is a simplistic way of explaining it, but these kinds of injection attacks are common).

Think of all the forms, search fields and messaging options on your website / app and you’ll start to see a large attack surface for would-be hackers.

In the next sections, I’ll take you through the 4 main types of injection attacks and explain how you can defend against them.

Common Types of Injection Attacks

1. Command Injection:

This is the type of attack I outlined above. In essence, a command injection is a security issue where a hacker tricks a website or app into running harmful commands. 

This can happen when a website has a text box or form where you can enter information, but it doesn’t properly check what’s being typed.

Web servers often run commands in the background for tasks like checking system health or fetching data. 

But, if the input field isn’t protected, an attacker can enter dangerous commands that go beyond what the system should allow. 

They could insert a command that deletes important files, exposes sensitive data, or gives the attacker control over the server.

2. SQL Injection (SQLi): 

SQLi is a type of cyberattack that uses Structured Query Language (SQL) to exploit an SQL database. 

A query is a command or set of instructions written in SQL used to interact with a database, like retrieving, updating, or deleting data.

The main idea behind an SQLi attack is to manipulate the database into running commands (code) it wasn’t meant to. 

This is often done by inserting harmful SQL code into an input field, like a search bar. 

For example: imagine a product search field where the system checks a database for matching items. 

An attacker could input special SQL code to mess with the query, forcing it to show all records instead of just the ones matching the search. 

This could expose hidden products, future releases, or pricing details.

Even worse, SQLi attacks can be used to gain unauthorised access to sensitive data like usernames, credit card details, and other personal information, if they’re stored in the same database.

Note: Though this example examines SQL databases, which are extremely common, the same logic can apply to any kind of database.

3. Cross-Site Scripting (XSS): 

Cross-site scripting (commonly known as XSS) is a web security vulnerability where harmful code is injected into web pages, causing it to run in the browsers of other users. 

Essentially, the hackers are targeting your visitors rather than your website.

This type of attack often takes advantage of websites that don’t properly filter user-generated content, such as comments on a blog or forum posts. 

Normally, you expect comments to be plain text, but a hacker can embed hidden code instead.

Browsers load websites by reading each page’s ‘code’ (html, Javascript etc.) and displaying the page as requested. In this scenario, a comment might include a string of hidden code, which the browser runs while loading the page.

These hidden scripts can be dangerous, capable of:

  • Stealing login details by secretly capturing what a user types.
  • Redirecting users to malicious websites without their knowledge.

XSS happens when websites fail to properly check and block harmful content before displaying it. 

4. AI Prompt Injection: 

AI prompt injection is a more recent attack targeting artificial intelligence systems, like chatbots or virtual assistants.

It works by carefully crafting the instructions (or “prompts”) given to the AI to make it reveal information or bypass its own built-in rules.

For example, an AI might be programmed to avoid sharing private information or to block harmful content. 

However, someone could try to manipulate the AI by giving it cleverly worded prompts that confuse it into breaking those rules – like asking questions in a way that tricks the AI into revealing sensitive details or ignoring content filters.

This type of attack is particularly hard to defend against because AI systems are designed to respond based on the instructions they receive. 

Preventing Injection Attacks

Keeping your systems safe doesn’t have to be complicated. 

To get started, make use of these 4 key strategies:

1. Input Validation

This means double-checking anything users enter to make sure it’s safe before using it. 

Solid input validation can block most injection attempts by catching sketchy or unexpected data early on.

Try:

  • Whitelist Validation – Only allow specific, safe data formats. For example, if a field is for phone numbers, only allow numbers and limit the length.
  • Blacklist Validation – Block known bad patterns like SQL commands or symbols often used in attacks.
  • Length Limits – Keep input sizes reasonable to avoid attackers slipping in extra-long malicious code.
  • Special Character Conversion – Switch special characters into harmless text so they can’t be mistaken for code.

Remember to put input validation across the entire site, or your efforts could be wasted. 

2. Parameterised Queries and Prepared Statements

Parameterised queries are a great technique for securing databases from SQL injection attacks.

They work by keeping the structure of a database query separate from the data provided by users, ensuring that user input cannot alter the query itself.

Basically, instead of mixing user answers directly into the instructions, the system writes its instructions first with blank spaces (placeholders) for your name and password. 

It then fills in those blanks separately with your answers, treating them as plain information rather than part of the instructions.

This method keeps the instructions and your data clearly separated, so even if someone tries to submit harmful input, the system treats it as regular text. 

Which makes it much, much harder for attackers to break in or manipulate the system.

Pro Tip: Most modern programming languages and frameworks offer built-in tools for prepared statements – make use of them!

3. Limiting User Privileges

Don’t give users more power than they need. 

Even if someone manages to sneak past your defenses, limiting their access can keep damage under control.

Ways to limit privileges:

  • Principle of Least Privilege (PoLP): Give each user and app only the minimum access they need to get the job done.
  • Separate Database Accounts: Use different accounts for different tasks, like a read-only account for basic data lookup.
  • Restrict System Commands: Avoid letting applications run system-level commands unless absolutely necessary.
  • Disable Risky Functions: Turn off high-risk functions like exec() or system() if they’re not essential.

These steps ensure that even if someone breaks in, they won’t have full control.

4. Regular Security Testing and Code Audits

Stay alert with regular security check-ups! 

Frequent testing and code reviews help catch issues before they turn into bigger problems.

Try:

  • Automated Scanners: Tools can help spot common vulnerabilities automatically.
  • Manual Code Reviews: Go over your code carefully, especially where you handle user inputs or build dynamic queries.
  • Penetration Testing: Bring in “ethical hackers” to test your systems like real attackers would.
  • Secure Coding Practices: Follow best practices and use frameworks designed to reduce security risks.

Consistent security testing will keep your defenses strong even when your software and  hacking practices evolve.

Injection attacks can be stopped. 

All it takes is a bit of proactive effort from your team.

By checking inputs, using prepared statements, limiting user privilege and regularly testing, you can seriously cut down the risk.

At Cyber Alchemy, we help businesses lock down their databases and applications with services like penetration testing and cyber awareness training.

Contact us today to start building a safer, more secure digital world. 

Similar Posts