SQL Injection

حقن SQL

IntermediateSecurity1 min read
sql-injectionsqlidatabase-injection

Definition

An attack where malicious SQL code is inserted into an input field to manipulate the database — reading, modifying, or deleting data the attacker should never access.

هجوم يُدرج فيه كود SQL خبيث في حقل إدخال للتلاعب بقاعدة البيانات — قراءة البيانات أو تعديلها أو حذفها التي لا ينبغي للمهاجم الوصول إليها أبداً.

Why It Matters

Vulnerable: `db.query('SELECT * FROM users WHERE email = ' + req.body.email)`. Safe: `db.query('SELECT * FROM users WHERE email = $1', [req.body.email])` — the DB treats input as data, never as SQL.

ثغرة: دمج إدخال المستخدم مباشرةً في الاستعلام. آمن: استخدام معاملات مُعلَّمة حيث تعامل قاعدة البيانات الإدخال كبيانات وليس كـ SQL أبداً.

Full Definition

SQL Injection occurs when user-supplied input is concatenated directly into a SQL query without sanitization. If userInput is `' OR '1'='1`, the query `SELECT * FROM users WHERE name = '${userInput}'` returns all users. More dangerous payloads can drop tables, exfiltrate the entire database, or bypass authentication. Prevention: always use parameterized queries (prepared statements) or an ORM that handles parameterization automatically.
يحدث حقن SQL عندما يُدمج إدخال المستخدم مباشرةً في استعلام SQL دون معالجة. يستطيع المهاجم صياغة إدخال يُغيّر منطق الاستعلام ويستخرج أو يحذف البيانات. الوقاية: استخدم دائماً استعلامات مُعلَّمة أو ORM يتعامل مع المعلمات تلقائياً.

Example Usage

Vulnerable: `db.query('SELECT * FROM users WHERE email = ' + req.body.email)`. Safe: `db.query('SELECT * FROM users WHERE email = $1', [req.body.email])` — the DB treats input as data, never as SQL.

ثغرة: دمج إدخال المستخدم مباشرةً في الاستعلام. آمن: استخدام معاملات مُعلَّمة حيث تعامل قاعدة البيانات الإدخال كبيانات وليس كـ SQL أبداً.

Knowledge Graph

Avoid these mistakes when using SQL Injection:

1

Using string concatenation for queries anywhere → Even if you validate the input first, parameterized queries are the only safe approach — use `$1` placeholders.

2

Assuming NoSQL databases are immune → MongoDB, Firestore, and others have their own injection variants if queries are built from unvalidated input.

3

Escaping quotes manually → This approach fails on edge cases and encoding attacks. Use prepared statements instead — they are foolproof.

Sign in to unlock guided AI explanations from AI Teacher.

Generate a Prompt

Copy this prompt and use it directly with any AI model — no setup needed.

Ready-to-Use Prompt
Help me build a project using SQL Injection.

Explain:
1. What is SQL Injection and why it matters
2. The core architecture and required tools
3. Step-by-step implementation plan
4. Common mistakes to avoid: Using string concatenation for queries anywhere → Even if you validate the input first, parameterized queries are the only safe approach — use `$1` placeholders., Assuming NoSQL databases are immune → MongoDB, Firestore, and others have their own injection variants if queries are built from unvalidated input., Escaping quotes manually → This approach fails on edge cases and encoding attacks. Use prepared statements instead — they are foolproof.
5. Best practices and production tips

Official Resources

No official documentation link on file for SQL Injection yet.