SQL injection

SQL injection is one of the biggest threats to applications that are database-driven and use SQL queries, and it’s all linked to input sanitization.

Suppose we use Node.js to run a simple query like this (I’m using pseudocode):

const color = //coming from user input
const query = `select * from cars where color = '${color}'`

If color is a string that contains a color like red or blue, everything works as planned.

But what if you accept this string from an input field in a form, and the attacker enters the string "blue'; drop table cars;"

Do you see what happens?

The value of query now is

select * from cars where color = 'blue'; drop table cars;'

And if you run this query, unless you removed the option to drop the table from the database permission of the database user, that is going to wipe out all of your data.

Another example.

Suppose you perform a query like this:

const query = 'SELECT * FROM users where name = "' + name + '"'

If you accept the name variable from a form, for example, and don’t sanitize it, a person could enter the value

flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio

See? Now the query will become

SELECT * FROM users where name = "flavio"; DELETE * FROM users; SELECT * FROM users where name ="flavio"

This will cause the users table to be wiped out.

We solve this problem by properly sanitizing the input, escaping quotes, and using a proper ORM like Prisma or Sequelize (JS) or Eloquent (Laravel) instead of performing SQL queries directly.