Detect potential SQL injection vulnerabilities in query strings. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.
Use Cases
Scan user-facing input fields for common SQL injection patterns during security review.
Test whether a legacy application's input handling is vulnerable before a penetration test.
Validate that input sanitization code correctly blocks injection attempts.
Audit query strings in URL parameters for injection vectors before a public launch.
Tips
Parameterized queries (prepared statements) prevent SQLi categorically — detection tools are a defense-in-depth layer, not a substitute for parameterization.
Test with second-order injection: store a payload in the database and check whether it executes when retrieved and used in another query.
URL-decode and base64-decode input before running detection — obfuscated injection payloads bypass naive pattern matching.
Fun Facts
SQL injection has appeared in the OWASP Top 10 web vulnerabilities list every year since the list's creation in 2003 and was ranked #1 as recently as 2017.
The 2008 Heartland Payment Systems breach, which compromised 130 million credit card records, was executed via SQL injection — at the time the largest data breach in history.
Bobby Tables (xkcd #327, 2007) introduced SQL injection to popular culture. The comic's title character 'Robert'); DROP TABLE Students;--' is now the canonical illustrative example of the attack.
FAQ
What's the difference between SQL injection and blind SQL injection?
In standard SQLi, the attacker reads database output directly from the response. In blind SQLi, the application returns no output — the attacker infers information from boolean responses (true/false) or time delays (sleep-based).
Does parameterized queries alone prevent all SQL injection?
Yes, for direct injection — parameterized queries are the definitive fix. Second-order injection (stored payloads executed later) requires also sanitizing data when using it in dynamic queries, even after storage.
