Skip to content

SQL injection

New Course Coming Soon:

Get Really Good at Git

SQL injection is one of the biggest threats to applications that are database-driven and use SQL queries, and it’s all linked to input sanitization.

Suppose we use Node.js to run a simple query like this (I’m using pseudocode):

const color = //coming from user input
const query = `select * from cars where color = '${color}'`

If color is a string that contains a color like red or blue, everything works as planned.

But what if you accept this string from an input field in a form, and the attacker enters the string "blue'; drop table cars;"

Do you see what happens?

The value of query now is

select * from cars where color = 'blue'; drop table cars;'

And if you run this query, unless you removed the option to drop the table from the database permission of the database user, that is going to wipe out all of your data.

Another example.

Suppose you perform a query like this:

const query = 'SELECT * FROM users where name = "' + name + '"'

If you accept the name variable from a form, for example, and don’t sanitize it, a person could enter the value

flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio

See? Now the query will become

SELECT * FROM users where name = "flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio"

This will cause the users table to be wiped out.

We solve this problem by properly sanitizing the input, escaping quotes, and using a proper ORM like Prisma or Sequelize (JS) or Eloquent (Laravel) instead of performing SQL queries directly.

Are you intimidated by Git? Can’t figure out merge vs rebase? Are you afraid of screwing up something any time you have to do something in Git? Do you rely on ChatGPT or random people’s answer on StackOverflow to fix your problems? Your coworkers are tired of explaining Git to you all the time? Git is something we all need to use, but few of us really master it. I created this course to improve your Git (and GitHub) knowledge at a radical level. A course that helps you feel less frustrated with Git. Launching May 21, 2024. Join the waiting list!

Here is how can I help you: