diff --git a/tech/sqli.wiki b/tech/sqli.wiki
index 1ac6010..231bc8d 100644
--- a/tech/sqli.wiki
+++ b/tech/sqli.wiki
@@ -8,8 +8,42 @@ appending a new command. Because the inserted command may have additional
 strings appended to it before it is executed, SQLI attack string generally end
 with a comment or `--`.
 
+== Typical attack avenues ==
+
+=== user input ===
+
+Attacker crafts some input field text to send to server, that is then passed to
+a database without first being sanatized.
+
+=== server variables ===
+
+Server varaibles include HTTP headers, network protocol headers, and enviroment
+variables. Web applications use these for logging usage stats and IDing browsing
+trends. If put in a database without sanitiztation, when the data is later
+queried by some application, it could be placed back into a database request,
+triggering an attack.
+
+=== Second order injection ===
+
+This occours when incomplete prevention mechanisms against SQLi attacks are in
+place. This happens when the attacker provides some data to the system that is
+first processed by the server, but after processing becomes an attack vector.
+
+=== Cookies ===
+
+When client returns to a web application server, cookies restore client state.
+Because client can control the cookie, attacker can alter cookies such that
+when the pplication server builds an SQL Query based on the cookies content,
+the structure/function of query is modified.
+
+=== Physical user input ===
+
+Attacker may construct physical things outside of the realm of web requests.
+This includes QR codes, RFID tags, or paper forms scanned with optical
+character recognition.
+
 
 
 == Also see ==
 
-Also see [[sql]]
+* [[sql]]