Quiz Entry - updated: 2026.07.05
What is an in-band SQL injection attack?
The stolen data comes straight back in the same response the attacker is already looking at.
In-band injection returns results directly through the same channel used for the attack — the simplest and most common case.
Example: Attacker sends:
' UNION SELECT username, password FROM users--
The query becomes:
SELECT name, description FROM products
WHERE category = 'Gifts' UNION SELECT username, password FROM users--
Results (usernames and passwords) are returned directly in the product listing response.
Go deeper:
PortSwigger — SQL injection — UNION-based and in-band extraction, with labs.
CWE-89: SQL Injection (MITRE) — the authoritative weakness definition.