← back to blog
1 min read
  • #cybersecurity
  • #web-security
  • #sql
  • #owasp

SQL injection in 3 minutes

The vulnerability that won't die. What it is, why it works, how to stop it.

SQL injection is older than I am and still in the OWASP Top 10. Here's why.

What it is: You let user input become part of a SQL query without separating data from code.

Vulnerable code (don't do this):

const sql = `SELECT * FROM users WHERE email = '${email}'`;
db.query(sql);

If email is ' OR '1'='1, the query becomes:

SELECT * FROM users WHERE email = '' OR '1'='1'

Now you've dumped the whole users table.

The fix is one keyword: parameterize.

db.query('SELECT * FROM users WHERE email = $1', [email]);

The driver sends the query and the data over different channels. There is no string to manipulate.

What about ORMs? Most ORMs (Prisma, Sequelize, SQLAlchemy) parameterize by default. Where they bite you is raw queriesprisma.$queryRawUnsafe, sequelize.query without replacements. Treat raw queries like a sharp knife.

One more rule: never trust input from anywhere — query strings, headers, cookies, JSON bodies, even cookies you "set yourself." If it comes from outside the process, it's untrusted.