Skip to content

SQL injection

SQL injection is one of the biggest threats to applications that are database-driven and use SQL queries, and it’s all linked to input sanitization.

Suppose we use Node.js to run a simple query like this (I’m using pseudocode):

const color = //coming from user input
const query = `select * from cars where color = '${color}'`

If color is a string that contains a color like red or blue, everything works as planned.

But what if you accept this string from an input field in a form, and the attacker enters the string "blue'; drop table cars;"

Do you see what happens?

The value of query now is

select * from cars where color = 'blue'; drop table cars;'

And if you run this query, unless you removed the option to drop the table from the database permission of the database user, that is going to wipe out all of your data.

Another example.

Suppose you perform a query like this:

const query = 'SELECT * FROM users where name = "' + name + '"'

If you accept the name variable from a form, for example, and don’t sanitize it, a person could enter the value

flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio

See? Now the query will become

SELECT * FROM users where name = "flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio"

This will cause the users table to be wiped out.

We solve this problem by properly sanitizing the input, escaping quotes, and using a proper ORM like Prisma or Sequelize (JS) or Eloquent (Laravel) instead of performing SQL queries directly.

download all my books for free

  • javascript handbook
  • typescript handbook
  • css handbook
  • node.js handbook
  • astro handbook
  • html handbook
  • next.js pages router handbook
  • alpine.js handbook
  • htmx handbook
  • react handbook
  • sql handbook
  • git cheat sheet
  • laravel handbook
  • express handbook
  • swift handbook
  • go handbook
  • php handbook
  • python handbook
  • cli handbook
  • c handbook

subscribe to my newsletter to get them

Terms: by subscribing to the newsletter you agree the following terms and conditions and privacy policy. The aim of the newsletter is to keep you up to date about new tutorials, new book releases or courses organized by Flavio. If you wish to unsubscribe from the newsletter, you can click the unsubscribe link that's present at the bottom of each email, anytime. I will not communicate/spread/publish or otherwise give away your address. Your email address is the only personal information collected, and it's only collected for the primary purpose of keeping you informed through the newsletter. It's stored in a secure server based in the EU. You can contact Flavio by emailing flavio@flaviocopes.com. These terms and conditions are governed by the laws in force in Italy and you unconditionally submit to the jurisdiction of the courts of Italy.

Related posts about security: