Preventing SQL Injection Attacks

⏱️ 28 sec read 📊 SQL

SQL injection occurs when attackers insert malicious SQL into your queries through user input. Prevent it with parameterized queries, prepared statements, and proper input validation.

Vulnerable Code (Never Do This!)

-- DANGEROUS: Direct string concatenation
username = request.form['username']
password = request.form['password']

query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"

-- Attacker enters: ' OR '1'='1
-- Resulting query: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = ''
-- This returns all users!

Safe Code: Parameterized Queries

Python (SQLite/MySQL)

import sqlite3

username = request.form['username']
password = request.form['password']

# Safe: Parameters are properly escaped
cursor.execute(
    "SELECT * FROM users WHERE username = ? AND password = ?",
    (username, password)
)

Python (PostgreSQL with psycopg2)

cursor.execute(
    "SELECT * FROM users WHERE username = %s AND password = %s",
    (username, password)
)

PHP (PDO)

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->execute(['username' => $username, 'password' => $password]);

Node.js (MySQL)

connection.query(
    'SELECT * FROM users WHERE username = ? AND password = ?',
    [username, password],
    function(error, results) { }
);

Additional Security Measures

Stored Procedures

-- Create procedure
CREATE PROCEDURE ValidateUser(@username VARCHAR(50), @password VARCHAR(50))
AS
BEGIN
    SELECT * FROM users
    WHERE username = @username AND password = @password;
END;

-- Call it (parameters automatically escaped)
EXEC ValidateUser @username = 'john', @password = 'secret';

Input Validation

-- Whitelist allowed characters
def validate_username(username):
    if not re.match("^[a-zA-Z0-9_-]{3,20}$", username):
        raise ValueError("Invalid username format")
    return username

Security Checklist

Always use parameterized queries: Never concatenate user input
Principle of least privilege: Database users should have minimal permissions
Validate input: Check format, length, and allowed characters
Hash passwords: Never store plain text passwords
Use ORMs carefully: Even ORMs can be vulnerable if misused

Pro Tip: Parameterized queries are your first and best defense. They separate SQL logic from data, making injection impossible. Never trust user input—validate everything!

← Back to SQL Tips