Prevent SQLi

Security Fundamentals AppSec API Security Cloud Security Network Security Identity & Access Containers & K8s Incident Response Vendor Reviews SaaS Security Crypto & Key Mgmt Logging & Monitoring GenAI Security DevSecOps

Cybersecurity › Web Application Security

22 Controls

Preventing SQL Injection (SQLi)

Use parameterized queries, prepared statements, and Object Relational Mappers (ORMs) to isolate untrusted input from the SQL compiler.

// Prevent SQLi with ORMs like Sequelize or Prisma
// BAD: Concatenating input
// sequelize.query("SELECT * FROM users WHERE name = '" + req.body.name + "'");

// GOOD: Bound parameters
sequelize.query('SELECT * FROM users WHERE name = :username', {
  replacements: { username: req.body.name },
  type: QueryTypes.SELECT
});