How to Detect SQL Injection Attempts in Your Nginx Logs

How to Detect SQL Injection Attempts in Your Nginx Logs Your nginx access logs are a goldmine of security intelligence — if you know what to look for. SQL injection attempts leave clear fingerprints in your logs, and catching them early lets you block attackers before they find a vulnerable endpoint. Here's how to find them. What SQL Injection Looks Like in Logs A typical nginx access log entry looks like this: 192.168.1.1 - - [19/Mar/2026:12:00:00 +0000] "GET /api/users?id=1 HTTP/1.1" 200 512 A SQL injection attempt looks like this: 185.220.101.45 - - [19/Mar/2026:12:01:23 +0000] "GET /api/users?id=1'+OR+'1'='1 HTTP/1.1" 200 512 185.220.101.45 - - [19/Mar/2026:12:01:24 +0000] "GET /api/users?id=1+UNION+SELECT+null,username,password+FROM+users-- HTTP/1.1" 500 128 185.220.101.45 - - [19/Mar/2026:12:01:25 +0000] "GET /api/users?id=1;DROP+TABLE+users;-- HTTP/1.1" 500 128 Key things to spot: URL-encoded quotes: %27 or ' SQL keywords in query strings: UNION , SELECT , DROP , INSERT , OR 1=1