SQL Injection Attacks: Statistics, Real‑World Examples, and Protection Strategies

Common Attacks on SQL‑Based Applications

SQL Injection is a code‑injection technique that allows attackers to insert malicious SQL statements into application inputs, which are then executed by the database engine. Typical goals include identity spoofing, data tampering, data theft, data destruction, and privilege escalation.

Imperva WAF Statistics

Imperva’s Web Application Firewall blocks millions of SQLi attempts each day; at least 80 % of the protected sites see attacks every month, and hundreds of sites face daily SQLi attempts.

Statistics on attacked countries, industries, and tools are shown in the following charts.

Figure 1: Industry Distribution of Attacked Websites – The health sector is the most targeted, reflecting findings from the 2018 BakerHostetler cybersecurity report.

Most‑targeted databases (descending): Oracle, PostgreSQL, MySQL, MongoDB. Most‑targeted platforms: WordPress, Drupal, Joomla, Quest.

Figure 2: Attack Sources by Country/Region – Attackers often target sites in their own region, though VPN/proxy usage can obscure true origins.

Common public CVE exploits (e.g., CVE‑2017‑8917, CVE‑2015‑7858) appear in 66 000 monitored events.

Figure 3: Top Vulnerability Scanners – While SQLi Dumper is effective, Joomla scanners also generate significant traffic.

Monthly monitoring of thousands of malicious IPs reveals that a small fraction of IPs generate the majority of SQLi requests.

Figure 4: Daily IP Attempt Distribution – Blue line: percentage of IPs that attempt SQLi on a given day; orange line: proportion of total SQLi requests coming from those IPs (over 80 %).

Figure 5: Top Attack Tools – cURL is widely used, often for post‑attack verification; Python is the preferred weapon, and Ruby scripts power Metasploit modules.

Attack Examples

Recent month’s most frequent injection vectors are listed below:

Vector

Incidents

Description

1 and 1=2 union select password from qianbo_admin

634,566

Trying to query passwords

1’A=0

125,365

Probing

N;O=D and 1=1

nessus= or 1=1–

CONCAT('whs(',' )SQLi')

76,155

Probing by vulnerability scanners: Veracode, Nessus and WhiteHat Security

' union select unhex(hex(version())) —

848,096

Attempting to discover database version

;WAITFOR DELAY '00:00:28';

1,226,955

Blind probing – testing for delay in response

How to Protect Your Application from SQL Injection

Protection measures can be applied during development and after deployment.

During Development

Use Prepared Statements – Parameterized queries separate code from data, preventing injected statements from being executed.

Below are two Python examples, one using prepared statements and one without.

def add_employee(id: int, email: str):
    sql = """INSERT INTO employees (id, email) VALUES (%s, %s)"""
    cursor = connection.cursor(prepared=True)
    cursor.execute(sql, (id, email))
    cnx.commit()
    cursor.close()

The above code sends values to the database via a separate execution method, eliminating injection risk.

def add_employee(id: int, email: str):
    sql = f"""INSERT INTO employees (id, email) VALUES ({id}, {email})"""
    cursor = connection.cursor()
    cursor.execute(sql)

Without prepared statements, malicious input could alter the SQL command.

Additional defensive techniques include:

Sanitization – Remove potentially dangerous keywords or characters (e.g., SELECT, DROP TABLE, WAITFOR DELAY).

Escaping – Escape characters with special meaning in SQL (e.g., replace single quote with two single quotes).

Escaping + Pattern Checking – Validate numeric/boolean types and enforce patterns for strings.

Database Permission Restriction – Grant the application only the privileges it truly needs.

Post‑Development – Application Security

Vulnerability Scanners – Regularly scan for SQLi flaws and remediate them.

Web Application Firewalls (WAF) – Detect and block injection attempts in real time.

Conclusion

Protecting products from SQL injection is essential to maintain availability and prevent data breaches. Incorporating secure coding practices from the start, coupled with testing, scanning, and WAF protection, offers a comprehensive defense against this long‑standing threat.

Original source: Imperva Blog