What Is SQL Injection?

SQL Injection is a common type of cyber attack that involves modifying SQL statements to maliciously access a database. One common method involves purposely filling out a form with SQL statements, and when the back-end receives the text, it may construct an unexpected SQL statement, allowing attackers to execute it on the database.

For example, by filling in the password field with ' OR 1 = 1 --, the resulting string concatenation is as follows:

queryStr = """ SELECT * FROM users WHERE username = 'Jack' AND password = '' OR 1= 1 --';"

Since username = 'Jack' AND password = '' OR 1 = 1 always evaluates to True, an attacker can log in without a password.

How to Prevent SQL Injection?

Escape Parameters

One method to prevent SQL Injection is to use regular expressions to check the user's input parameters. If any input contains SQL keywords, they are replaced with legal characters. However, this method has the disadvantage of needing to update the regular expression rules whenever new SQL syntax keywords are added, and it is impossible to cover all cases.

Query Parameterization

Query parameterization is the safest way to prevent SQL Injection. This method uses placeholders in database syntax to process parameters separately from the SQL statement. For example:

SELECT * FROM users WHERE username = $1 AND password = $2;

In some programming languages, the SQL statement is compiled first and then the parameters are passed in for execution, effectively preventing SQL Injection attacks.

Object Relational Mapping (ORM)

Using Object Relational Mapping (ORM) instead of raw SQL statements can directly avoid SQL Injection issues.