SQL Injection

Status: draft · Confidence: medium (0.635) · Basis: verified_sources

Quality notes: generic_source_homepage, no_verified_sources, partial_source_verification

## TL;DR

SQL Injection is a code injection attack where malicious SQL statements are inserted into application queries through user input. It ranked #3 on the OWASP Top 10 (2021) and can lead to data theft, data loss, and complete system compromise.

## Core Explanation

Prevention: parameterized queries (prepared statements), stored procedures, input validation, least-privilege database accounts. Never concatenate user input into SQL strings — this is the single rule that prevents SQL injection. Use placeholders: SELECT * FROM users WHERE name = ? (MySQL) or $1 (PostgreSQL). ORMs (Prisma, SQLAlchemy) provide parameterized queries by default.

## Further Reading

-

## Related Articles

- [Text-to-SQL: Natural Language Database Querying with Large Language Models](../../ai/text-to-sql.md)
- [Dependency Injection](../dependency-injection.md)
- [SQL Joins](../sql-joins.md)