SQL injection: When a simple input becomes a security threat

SQL Injection (SQLi) is an attack technique where a threat actor inserts malicious SQL code into an application's database query by exploiting poorly validated user input. If input isn’t properly secured, the attacker can access, modify, delete or even take full control of the database.

Why it’s dangerous:

In the maritime and energy sectors, where many applications rely on database interactions from logistics and communications to fleet management, SQLi can compromise critical operational data.

This may include changes to cargo manifests, scheduling data, spare parts ordering systems, or access to user accounts.

Examples from the field:

• A fuel delivery app allows unauthorised access through a poorly validated order number input
• A web login form for ship equipment monitoring systems lets an attacker extract admin passwords via injected SQL commands
• A route update system retrieves incorrect coordinates due to manipulated query inputs, affecting vessel navigation

How to protect against it:

• Use parameterised queries (prepared statements) and validate all user inputs
• Deploy a Web Application Firewall (WAF) to detect and block injection attempts
• Regularly patch and test applications with Marlink Cyber Audit and penetration testing services

SQL Injection is a reminder that security must be embedded at the design stage, because a single unprotected input can expose your entire data infrastructure.