MainExamplesHistoryRecommended Reading
Explain Like I'm 5 /Security

What is SQL Injection?

Help others learn from this page

SQL Injection is a security vulnerability where attackers inject malicious SQL code into your database queries. It's like someone sneaking a fake order into your restaurant's order system — they can access data they shouldn't or even delete everything.

How It Works:

  1. Your app builds SQL queries using user input
  2. Attacker provides malicious input (like '; DROP TABLE users; --)
  3. Your app executes the malicious SQL
  4. Attacker can read, modify, or delete data

Example:

# VULNERABLE CODE
query = "SELECT * FROM users WHERE name = '" + user_input + "'"
# If user_input = "'; DROP TABLE users; --"
# Query becomes: SELECT * FROM users WHERE name = ''; DROP TABLE users; --'

How to Prevent:

  • Parameterized queries: Use placeholders, never concatenate
  • Input validation: Validate and sanitize all inputs
  • Least privilege: Database users should have minimal permissions
  • ORM: Use Object-Relational Mapping tools that handle this

Impact:

  • Data theft: Steal sensitive information
  • Data loss: Delete or corrupt data
  • Unauthorized access: Bypass authentication
  • System compromise: Gain control of the database

FAQ

Is SQL injection still a problem?
Yes! It's still one of the most common vulnerabilities. Always use parameterized queries.
Do ORMs prevent SQL injection?
Yes, if used correctly. ORMs use parameterized queries automatically. But you can still write vulnerable code with ORMs if you're not careful.

Enjoyed this explanation? Share it!

Last Week in Plain English

Stay updated with the latest news in the world of AI, tech, business, and startups.

Interested in Promoting Your Content?

Reach our engaged developer audience and grow your brand.

Help us expand the developer universe!

This is your chance to be part of an amazing community built by developers, for developers.