What Is SQL Injection?
SQL injection inserts malicious SQL into application queries through user input. If your login query is SELECT * FROM users WHERE email = '{input}', an attacker enters ' OR 1=1 -- to bypass authentication. It's one of the oldest and most dangerous web vulnerabilities.
How SQL Injection Works
Vulnerable: query = 'SELECT * FROM users WHERE id = ' + userId. If userId is '1; DROP TABLE users' — your database is gone. Fix: use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId]). The database treats the parameter as data, never as SQL code.
Key Concepts
- Parameterized Queries — Pass user input as parameters, not string concatenation — the database separates code from data
- ORM Protection — ORMs like Prisma and SQLAlchemy use parameterized queries by default — but raw query methods can still be vulnerable
- Least Privilege — Database users should have minimal permissions — your web app's DB user shouldn't be able to DROP tables
Frequently Asked Questions
Do ORMs prevent SQL injection?
Standard ORM methods do. But raw query functions (prisma.$queryRawUnsafe, sequelize.query) can be vulnerable if you concatenate user input. Always use parameterized versions.