SQL Injection Prevention
Table of Contents
Overview
Implement comprehensive SQL injection prevention using prepared statements, parameterized queries, ORM best practices, and input validation.
When to Use
- Database query development
- Legacy code security review
- Security audit remediation
- API endpoint development
- User input handling
- Dynamic query generation
Quick Start
Minimal working example:
// secure-db.js
const { Pool } = require("pg");
class SecureDatabase {
constructor() {
this.pool = new Pool({
host: process.env.DB_HOST,
database: process.env.DB_NAME,
user: process.env.DB_USER,
password: process.env.DB_PASSWORD,
max: 20,
idleTimeoutMillis: 30000,
connectionTimeoutMillis: 2000,
});
}
/**
* ✅ SECURE: Parameterized query
*/
async getUserById(userId) {
const query = "SELECT * FROM users WHERE id = $1";
const values = [userId];
try {
const result = await this.pool.query(query, values);
// ... (see reference guides for full implementation)
Reference Guides
Detailed implementations in the references/ directory:
| Guide | Contents |
|---|---|
| Node.js with PostgreSQL | Node.js with PostgreSQL |
| Python with SQLAlchemy ORM | Python with SQLAlchemy ORM |
| Java JDBC with Prepared Statements | Java JDBC with Prepared Statements |
| Input Validation & Sanitization | Input Validation & Sanitization |
Best Practices
✅ DO
- Use prepared statements ALWAYS
- Use ORM frameworks properly
- Validate all user inputs
- Whitelist dynamic values
- Use least privilege DB accounts
- Enable query logging
- Regular security audits
- Use parameterized queries
❌ DON'T
- Concatenate user input
- Trust client-side validation
- Use string formatting for queries
- Allow dynamic table/column names
- Grant excessive DB permissions
- Skip input validation