SQL Injection

A vulnerability that allows an attacker to inject arbitrary SQL queries into an existing one, allowing the attacker to access or manipulate data that they should not have acceess to. This can happen if inputs are not sanitized before executing them.

-- Intended query with normal input (username = "alice")
SELECT * FROM users WHERE username = 'alice' AND password = 'secret';

-- Attacker enters as username: ' OR '1'='1
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
--                                       ^^^^^^^^^ always true → returns all users

Prepared statements address those by first compiling the query template with placeholders before any user data is involved, locking in the structure so it cannot be changed afterwards, when the actual values are then bound and the query is executed, the database treats them purely as data, meaning an attacker input like '; DROP TABLE users; -- is passed as a literal string value to the ? placeholder and never interpreted as SQL syntax.

-- Step 1: structure is compiled, ? is a fixed placeholder
SELECT * FROM users WHERE username = ? AND password = ?;

-- Step 2: values are bound ("alice", "secret") and executed
-- even "'; DROP TABLE users; --" would just be a string here
SELECT * FROM users WHERE username = 'alice' AND password = 'secret';