Why it matters

SQL injection is largely preventable. Understanding both the attack and prevention is essential.

Advertisement

The architecture

Classic: query built by string concatenation. "SELECT * FROM users WHERE name = '" + input + "'". Malicious input breaks out.

Result: attacker's SQL executes with app's DB privileges.

SQL injection mechanismString concatvulnerableAttacker inputbreaks contextAttacker SQL runswith app privilegesParameterized queries send SQL and values separately; SQL never rebuilt from input
SQLi attack pattern.
Advertisement

How it works end to end

Parameterized queries: SQL and values separate. Values never interpreted as SQL. Standard prevention.

ORM: most ORMs use parameterized queries by default. Safe if used correctly.

Least privilege: DB user shouldn't have DROP TABLE permissions.

Input validation: type check, length check, but not sole defense.