A SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands.
According to OWASP
The application uses an SQL server(on the same machine) to maintain the data such as credentials, etc., and if the application has login functionality, that might be vulnerable to SQL injection. An attacker can bypass the authentication and gain access to the application.
- We have seen this case in 2 tier applications since they use a SQL/SQLite/MSaccess Server/file to maintain data on the same machine.
- It is often observed that 3 tier application uses API and that might be vulnerable to SQL injection.