Why it matters
SQL injection is largely preventable. Understanding both the attack and prevention is essential.
Advertisement
The architecture
Classic: query built by string concatenation. "SELECT * FROM users WHERE name = '" + input + "'". Malicious input breaks out.
Result: attacker's SQL executes with app's DB privileges.
Advertisement
How it works end to end
Parameterized queries: SQL and values separate. Values never interpreted as SQL. Standard prevention.
ORM: most ORMs use parameterized queries by default. Safe if used correctly.
Least privilege: DB user shouldn't have DROP TABLE permissions.
Input validation: type check, length check, but not sole defense.