100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

SQL Injection Prevention Cheat Sheet

SQL Injection Prevention Cheat Sheet

Explains how SQL injection works and shows concrete, language-specific techniques to prevent it using parameterized queries and validation.

2 PagesIntermediateFeb 8, 2026

Vulnerable vs. Safe Query (Python)

String concatenation vs. parameterized queries.

python
# VULNERABLE: user input concatenated directly into SQLquery = "SELECT * FROM users WHERE username = '" + username + "'"cursor.execute(query)# SAFE: parameterized query, driver handles escapingquery = "SELECT * FROM users WHERE username = %s"cursor.execute(query, (username,))

Parameterized Queries in Other Stacks

Examples using an ORM and Node.js driver.

javascript
// Node.js with node-postgres — parameterized queryconst res = await pool.query(  'SELECT * FROM users WHERE email = $1',  [email]);// Using an ORM (e.g. Sequelize) — auto-parameterizedconst user = await User.findOne({ where: { email } });

Common SQLi Variants

Different ways SQL injection can manifest.

  • In-band (classic)- Attacker gets results directly in the application response
  • Union-based- Uses UNION SELECT to combine attacker query with legitimate results
  • Blind (boolean)- Infers data by observing true/false differences in responses
  • Blind (time-based)- Infers data using SLEEP()/WAITFOR to measure response delay
  • Second-order- Malicious input stored first, then executed later in a different query

Defense-in-Depth Layers

Multiple complementary controls to reduce SQLi risk.

  • Parameterized queries / prepared statements- Primary defense; separates code from data
  • Least-privilege DB accounts- App's DB user should not have DROP/ALTER rights if not needed
  • Input validation- Allow-list expected formats (e.g. numeric IDs, email patterns)
  • Stored procedures- Can help if they don't internally concatenate input into SQL
  • WAF- Web Application Firewall as a detective/compensating control, not a primary fix
  • ORMs- Reduce raw SQL usage, but raw/custom queries within them can still be vulnerable
Pro Tip

Parameterized queries must bind actual values, not table/column names — those can't be parameterized by the driver, so for dynamic identifiers use a strict allow-list instead of user input, ever.

Was this cheat sheet helpful?

Explore Topics

#SQLInjectionPrevention#SQLInjectionPreventionCheatSheet#Cybersecurity#Intermediate#Vulnerable#Safe#Query#Python#Databases#CheatSheet#SkillVeris