What is Manual SQL Injection

SQL Injection is a code injection technique that attackers use to insert malicious SQL statements into input fields for execution by the backend database. Unlike automated SQL injection using tools like SQLmap, manual SQL injection involves directly testing input fields to manipulate SQL queries.

Manual SQL Injection Techniques

There are several techniques used in manual SQL injection, including:

• Union-Based SQL Injection: This technique involves using the UNION SQL operator to combine the results of the original query with results from injected queries.
• Error-Based SQL Injection: This technique involves manipulating SQL queries to generate database errors, revealing sensitive information.
• Blind SQL Injection: In cases where the application is configured to show generic error messages, attackers can send payloads and observe the behavior of the application to infer if it is vulnerable to SQL Injection.

Preventing Manual SQL Injection

Preventing SQL Injection involves securing the application's code. This can be achieved by:

• Parameterized Queries: Also known as prepared statements, these involve pre-compiling an SQL statement without any data and then passing in the data as parameters. This ensures that an attacker can't change the intent of the SQL statement.
• Escaping User Input: This involves adding backslashes to characters that have special meaning in SQL. The downside is that it doesn't protect against all SQL Injection attacks and can be bypassed by a skilled attacker.
• Least Privilege Principle: This involves giving each account only those privileges which are essential to its work. This limits the potential damage of an SQL Injection attack.