SQL Injection Prevention Cheat Sheet
Explains how SQL injection works and shows concrete, language-specific techniques to prevent it using parameterized queries and validation.
2 PagesIntermediateFeb 8, 2026
Vulnerable vs. Safe Query (Python)
String concatenation vs. parameterized queries.
python
# VULNERABLE: user input concatenated directly into SQLquery = "SELECT * FROM users WHERE username = '" + username + "'"cursor.execute(query)# SAFE: parameterized query, driver handles escapingquery = "SELECT * FROM users WHERE username = %s"cursor.execute(query, (username,))
Parameterized Queries in Other Stacks
Examples using an ORM and Node.js driver.
javascript
// Node.js with node-postgres — parameterized queryconst res = await pool.query( 'SELECT * FROM users WHERE email = $1', [email]);// Using an ORM (e.g. Sequelize) — auto-parameterizedconst user = await User.findOne({ where: { email } });
Common SQLi Variants
Different ways SQL injection can manifest.
- In-band (classic)- Attacker gets results directly in the application response
- Union-based- Uses UNION SELECT to combine attacker query with legitimate results
- Blind (boolean)- Infers data by observing true/false differences in responses
- Blind (time-based)- Infers data using SLEEP()/WAITFOR to measure response delay
- Second-order- Malicious input stored first, then executed later in a different query
Defense-in-Depth Layers
Multiple complementary controls to reduce SQLi risk.
- Parameterized queries / prepared statements- Primary defense; separates code from data
- Least-privilege DB accounts- App's DB user should not have DROP/ALTER rights if not needed
- Input validation- Allow-list expected formats (e.g. numeric IDs, email patterns)
- Stored procedures- Can help if they don't internally concatenate input into SQL
- WAF- Web Application Firewall as a detective/compensating control, not a primary fix
- ORMs- Reduce raw SQL usage, but raw/custom queries within them can still be vulnerable
Pro Tip
Parameterized queries must bind actual values, not table/column names — those can't be parameterized by the driver, so for dynamic identifiers use a strict allow-list instead of user input, ever.
Was this cheat sheet helpful?
Explore Topics
#SQLInjectionPrevention#SQLInjectionPreventionCheatSheet#Cybersecurity#Intermediate#Vulnerable#Safe#Query#Python#Databases#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance