What are the main types of SQL injection?
Short answer
SQL injection lets attacker input alter a query. In-band techniques return data directly: union-based appends a UNION SELECT to pull extra columns, and error-based leaks data through database error messages. When no output is visible, attackers use blind SQLi — boolean-based infers data from true/false response differences, and time-based uses delays like SLEEP() to read data one bit at a time.
SQL injection happens when untrusted input is concatenated into a query so the input changes the query's structure, not just its data. Attackers categorize techniques by how they get the data back — which depends entirely on what the application reveals in its responses.
In-band: data comes straight back
- Union-based. The attacker appends
UNION SELECT ...to make the database return additional rows from other tables in the same result set the app already displays. It requires matching the original query's column count and compatible types, often discovered withORDER BYprobing orNULLpadding. - Error-based. The app shows database errors, so the attacker crafts input that forces the DBMS to embed sensitive data inside an error message (e.g. via type-conversion or
EXTRACTVALUE). Fast, but only works when verbose errors leak to the user.
Blind: no data is shown, so infer it
When the app returns no query output and no errors, the attacker extracts data one boolean at a time:
- Boolean-based. Inject a condition (
AND 1=1vsAND 1=2) and watch whether the page content changes (results shown vs not). Each true/false answer reveals one bit, letting the attacker reconstruct values character by character. - Time-based. When even the page content does not change, the attacker injects a conditional delay —
IF(condition, SLEEP(5), 0). A slow response means "true." It is the slowest method but works against fully blind endpoints.
Out-of-band (worth a mention)
When neither in-band nor timing works, attackers can exfiltrate via a side channel like a DNS or HTTP request the database makes — useful in heavily firewalled environments.
The fix for all of them is the same: parameterized queries.
Interviewers look for the in-band vs blind distinction, the reasoning that technique choice depends on what the response reveals, and recognition that time-based is the last resort.
Likely follow-ups
- Why does an attacker resort to time-based blind injection?
- How does a UNION-based injection need to match column count and types?
- What is second-order SQL injection?