Web Foundations & Databases · beginner · ~12 min
Read and write basic SQL (SELECT/INSERT/UPDATE/DELETE, WHERE, JOIN, UNION).
Relational data lives in tables queried with SQL: SELECT/INSERT/UPDATE/DELETE, filtered by WHERE, combined by JOIN, and stacked by UNION. WHERE and UNION are exactly where SQL injection operates.
You can't understand (or report) SQL injection without reading SQL. WHERE-clause concatenation and UNION SELECT are the mechanics behind the most damaging web data-exfiltration bug.
Tables. Rows × typed columns. Four verbs. SELECT/INSERT/UPDATE/DELETE. WHERE. Row filter — the injection point. JOIN. Combine tables on a key. UNION. Stack matching SELECTs — union-based SQLi.
Most web apps store data in a relational database queried with SQL. You don't need to be a DBA, but you must read SQL to understand injection.
Data lives in tables (rows × typed columns). The core statements:
SELECT name, email FROM users WHERE id = 42;
INSERT INTO users (name, email) VALUES ('ada', 'ada@x.com');
UPDATE users SET email = 'new@x.com' WHERE id = 42;
DELETE FROM users WHERE id = 42;
The WHERE clause filters rows. It's also exactly where SQL injection strikes: if user input is concatenated into the WHERE clause, ' OR '1'='1 turns a filter into "always true".
JOIN combines rows across tables on a relationship:
SELECT u.name, o.total FROM users u JOIN orders o ON o.user_id = u.id;
UNION stacks the results of two SELECTs with matching columns. Attackers abuse UNION SELECT to append a query of their own (e.g. pulling password hashes) onto an injectable one — union-based SQL injection.
Reading these four verbs plus WHERE/JOIN/UNION is enough to follow how injection works.
SQL's four verbs plus WHERE/JOIN/UNION are enough to follow how a query is built — and therefore how injected input subverts it. This is the groundwork for the SQL-injection lessons.