SQL injection
SQL injection is one of the biggest threats to applications that are database-driven and use SQL queries, and it’s all linked to input sanitization.
Suppose we use Node.js to run a simple query like this (I’m using pseudocode):
const color = //coming from user input
const query = `select * from cars where color = '${color}'`
If color
is a string that contains a color like red
or blue
, everything works as planned.
But what if you accept this string from an input
field in a form, and the attacker enters the string "blue'; drop table cars;"
Do you see what happens?
The value of query
now is
select * from cars where color = 'blue'; drop table cars;'
And if you run this query, unless you removed the option to drop the table from the database permission of the database user, that is going to wipe out all of your data.
Another example.
Suppose you perform a query like this:
const query = 'SELECT * FROM users where name = "' + name + '"'
If you accept the name
variable from a form, for example, and don’t sanitize it, a person could enter the value
flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio
See? Now the query will become
SELECT * FROM users where name = "flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio"
This will cause the users table to be wiped out.
We solve this problem by properly sanitizing the input, escaping quotes, and using a proper ORM like Prisma or Sequelize (JS) or Eloquent (Laravel) instead of performing SQL queries directly.
I wrote 17 books to help you become a better developer, download them all at $0 cost by joining my newsletter
JOIN MY CODING BOOTCAMP, an amazing cohort course that will be a huge step up in your coding career - covering React, Next.js - next edition February 2025