Basically its impossible nowadays. SQL Injection was a result of user input being executed on the database. Most modern websites have protection put in place to prevent that. How it actually worked was user input such as a search or input field was send to the database directly and the input would be something like this: '"; SELECT * FROM USERS;"' which would end up executing something like:
"select * from search where user_input like "%"; SELECT * FROM USERS;" and you'd get the complete user table or whatever. Anyways that really doesn't happen any more.

Hacking a database directly is basically impossible because any well configured database will only be accessible from certain IP addresses eg the server with the websites can only access the database server. So it's a whole big deal where you'd have to get into the web server first then connect to the database server.

>>107474704
It obviously still happens since databases are still being sold

>>107474612
the best method is whatever is available, you don't have the luxury of choosing what you want to do.

>>107474704 I understand, but thanks for the information.

>>107474612
SAAAAR REDEEM THE BOOMER ACCESS DATA

>>107474704
That's stacked injection that you are trying to describe
The common SQL injection is when the code is written like this

SELECT * FROM users WHERE username = '" + user_input + "' AND password = '" + pass_input + "';
and then you just put username = 'admin' and password '1=1' and you logged in as admin

>Hacking a database directly is basically impossible because any well configured database will only be accessible from certain IP addresses eg the server with the websites can only access the database server. So it's a whole big deal where you'd have to get into the web server first then connect to the database server.
You have no idea.
Everything is on the cloud and it is getting CONSTANTLY hacked
All info has been hacked already and keeps getting hacked every single day

You may have noticed that every single OS updates all the time with "security patches"
What do you think this means?
That it had vulnerabilities up to that point that were being exploited
And that's just the known vulnerabilities
There are so many unknown, as well as insider attacks etc etc

AND SQL injection is still possible in some legacy systems or hobby projects etc.

what you really want is a foreign gov to give you all legitimate looking paperwork and ID that fools hr people for a lesser position at a place like cloudflare
Then you hop onto some devs machine that has access get the information you need and disappear again with help from said gov
golden examples include theft of information looking like normal development work that is not detected as abnormal and the job ends amicably where your next assignment includes doing it to another company
only places that have insane levels of scrutiny on the employees are immune and this makes the work environment insufferable so this isn’t given the priority people think it does
even having a restrictive badge system of physical access doesn’t help when the dirty employee has access with that badge

trying to get in from the outside just gets you noticed by IDS where a log is kept and they will watch you do everything without shutting anything down because it gives them more information on how to fix ways the person got in

basically don’t ask about this stuff anywhere because you asking makes you suspect
also here is even worse

Personally I never have done anything wrong on this website and I have some losers with day jobs using my name to reply to me, I just see what has been posted here and trolled people
I haven’t done anything wrong and people are up on my jock

I don’t appreciate some crayon muncher who willingly signed up to safari the “teh sandbocks hurr” getting all upset at me for no reason, he has to monitor this place for low pay like a total fucking loser

You are the one who’s wrong buddy and always will be
You are spying on innocent Americans and you’re a cunt of all cunts

Last post ever, just leave me alone
Police these morlocs I guess you now bore me and the site sucks, so good riddance

>>107474612
if you can get the web server user shell you might be able to find db creds in a file somewhere
of if its on the same server and you privesc?
sql injection is fairly sanitized but you never know
and you can script kiddie it up with sqlmap too

>>107474740
Not by SQL injection

>>107474704
SQL injections will get more common again because of ORMs don't make use of features that became wide spread during old PHP days.
Like prepared statements, which are objectively the safest way to execute SQL, where the parameters are sent separately, using a different protocol that needs no escaping.
I never saw a ORM use them properly.

At the same time we use SQL less nowadays, but have key-value stores like redis or nosql dbs like mongodb.
And the amount of time those get hacked because of stupid shit is unreal (like those cloud buckets with passwords exposed or redis instances accidentally being public).

>>107475012
cool, here an SQL injection vulnerability in sequelizejs:
https://github.com/advisories/GHSA-wrh9-cjv3-2hpw

ORMs are unsafe.

>>107474704
As long as PHP developers exist, SQL injections will forever be a thing. Their incompetence is what keeps website hacking afloat.

Doesn't matter how many great, easy, highly recommended APIs to escape parameters or use prepared statement get added, some dumb fuck will always just concat a string together, then execute it.

>>107475103
The major ORMs are safe. And if you ever have any worry, it's easy to test for yourself.
Pretty much all security is a solved issue. The only unsolved part of it is getting people to adhere to correct practices and not being retarded which is a hard problem.

Wow I'm really surprised you guys are saying it still happens. Literally the last hack I remember seeing personally was just random Wordpress plugin shit like 10 years ago. I worked for some web dev shop and the client had installed some random vunerable plugins that fucked everything. Other than that since everything mostly just exists on Amazon RDS or the Google / Microsoft MySQL equivelent and most devs nowadays are using frameworks with ORMs. I doubt this generation of web devs even write SQL nevermind custom authentication that's not just some 3rd party OAuth shit.

>>107475543
You really got to make it happen now. Even with modern ORMs you can completely subvert the protections if you do dumb crap like string concatenation in a raw query

>>107475543
>Wow I'm really surprised you guys are saying it still happens.
Vibe coders.
But apart from those idiots, there's always some lazy fools about who don't want to think.