SQL injection
New Course Coming Soon:
Get Really Good at Git
SQL injection is one of the biggest threats to applications that are database-driven and use SQL queries, and it’s all linked to input sanitization.
Suppose we use Node.js to run a simple query like this (I’m using pseudocode):
const color = //coming from user input
const query = `select * from cars where color = '${color}'`
If color
is a string that contains a color like red
or blue
, everything works as planned.
But what if you accept this string from an input
field in a form, and the attacker enters the string "blue'; drop table cars;"
Do you see what happens?
The value of query
now is
select * from cars where color = 'blue'; drop table cars;'
And if you run this query, unless you removed the option to drop the table from the database permission of the database user, that is going to wipe out all of your data.
Another example.
Suppose you perform a query like this:
const query = 'SELECT * FROM users where name = "' + name + '"'
If you accept the name
variable from a form, for example, and don’t sanitize it, a person could enter the value
flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio
See? Now the query will become
SELECT * FROM users where name = "flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio"
This will cause the users table to be wiped out.
We solve this problem by properly sanitizing the input, escaping quotes, and using a proper ORM like Prisma or Sequelize (JS) or Eloquent (Laravel) instead of performing SQL queries directly.
Here is how can I help you:
- COURSES where I teach everything I know
- THE VALLEY OF CODE your web development manual
- BOOTCAMP 2024 cohort in progress, next edition in 2025
- BOOKS 16 coding ebooks you can download for free on JS Python C PHP and lots more
- SOLO LAB everything I know about running a lifestyle business as a solopreneur
- Interesting links collection
- Follow me on X