[{"data":1,"prerenderedAt":278},["ShallowReactive",2],{"term-s\u002Fsql-injection":3,"related-s\u002Fsql-injection":261},{"id":4,"title":5,"acronym":6,"body":7,"category":242,"description":243,"difficulty":244,"extension":245,"letter":246,"meta":247,"navigation":98,"path":248,"related":249,"seo":255,"sitemap":256,"stem":259,"subcategory":6,"__hash__":260},"terms\u002Fterms\u002Fs\u002Fsql-injection.md","SQL Injection",null,{"type":8,"value":9,"toc":236},"minimark",[10,15,24,28,31,35,225,229,232],[11,12,14],"h2",{"id":13},"eli5-the-vibe-check","ELI5 — The Vibe Check",[16,17,18,19,23],"p",{},"SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it. Like if someone's name in a form was ",[20,21,22],"code",{},"' OR 1=1; DROP TABLE users; --"," — and your code just runs that. Boom, your user table is gone. Use parameterized queries. Always.",[11,25,27],{"id":26},"real-talk","Real Talk",[16,29,30],{},"SQL injection is an attack where malicious SQL is inserted into input fields that are concatenated into database queries. Attackers can bypass authentication, read sensitive data, or destroy databases. Prevention requires parameterized queries (prepared statements) or an ORM that handles escaping.",[11,32,34],{"id":33},"show-me-the-code","Show Me The Code",[36,37,42],"pre",{"className":38,"code":39,"language":40,"meta":41,"style":41},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F ❌ NEVER concatenate user input into SQL\nconst query = `SELECT * FROM users WHERE email = '${email}'`;\n\n\u002F\u002F ✅ Use parameterized queries\nconst query = 'SELECT * FROM users WHERE email = $1';\nconst result = await db.query(query, [email]);\n\n\u002F\u002F ✅ Or use an ORM (Prisma, Drizzle, etc.)\nconst user = await prisma.users.findFirst({ where: { email } });\n","javascript","",[20,43,44,53,93,100,106,125,160,165,171],{"__ignoreMap":41},[45,46,49],"span",{"class":47,"line":48},"line",1,[45,50,52],{"class":51},"sHwdD","\u002F\u002F ❌ NEVER concatenate user input into SQL\n",[45,54,56,60,64,68,71,75,78,81,84,87,90],{"class":47,"line":55},2,[45,57,59],{"class":58},"spNyl","const",[45,61,63],{"class":62},"sTEyZ"," query ",[45,65,67],{"class":66},"sMK4o","=",[45,69,70],{"class":66}," `",[45,72,74],{"class":73},"sfazB","SELECT * FROM users WHERE email = '",[45,76,77],{"class":66},"${",[45,79,80],{"class":62},"email",[45,82,83],{"class":66},"}",[45,85,86],{"class":73},"'",[45,88,89],{"class":66},"`",[45,91,92],{"class":66},";\n",[45,94,96],{"class":47,"line":95},3,[45,97,99],{"emptyLinePlaceholder":98},true,"\n",[45,101,103],{"class":47,"line":102},4,[45,104,105],{"class":51},"\u002F\u002F ✅ Use parameterized queries\n",[45,107,109,111,113,115,118,121,123],{"class":47,"line":108},5,[45,110,59],{"class":58},[45,112,63],{"class":62},[45,114,67],{"class":66},[45,116,117],{"class":66}," '",[45,119,120],{"class":73},"SELECT * FROM users WHERE email = $1",[45,122,86],{"class":66},[45,124,92],{"class":66},[45,126,128,130,133,135,139,142,145,149,152,155,158],{"class":47,"line":127},6,[45,129,59],{"class":58},[45,131,132],{"class":62}," result ",[45,134,67],{"class":66},[45,136,138],{"class":137},"s7zQu"," await",[45,140,141],{"class":62}," db",[45,143,144],{"class":66},".",[45,146,148],{"class":147},"s2Zo4","query",[45,150,151],{"class":62},"(query",[45,153,154],{"class":66},",",[45,156,157],{"class":62}," [email])",[45,159,92],{"class":66},[45,161,163],{"class":47,"line":162},7,[45,164,99],{"emptyLinePlaceholder":98},[45,166,168],{"class":47,"line":167},8,[45,169,170],{"class":51},"\u002F\u002F ✅ Or use an ORM (Prisma, Drizzle, etc.)\n",[45,172,174,176,179,181,183,186,188,191,193,196,199,202,206,209,212,215,217,220,223],{"class":47,"line":173},9,[45,175,59],{"class":58},[45,177,178],{"class":62}," user ",[45,180,67],{"class":66},[45,182,138],{"class":137},[45,184,185],{"class":62}," prisma",[45,187,144],{"class":66},[45,189,190],{"class":62},"users",[45,192,144],{"class":66},[45,194,195],{"class":147},"findFirst",[45,197,198],{"class":62},"(",[45,200,201],{"class":66},"{",[45,203,205],{"class":204},"swJcz"," where",[45,207,208],{"class":66},":",[45,210,211],{"class":66}," {",[45,213,214],{"class":62}," email ",[45,216,83],{"class":66},[45,218,219],{"class":66}," }",[45,221,222],{"class":62},")",[45,224,92],{"class":66},[11,226,228],{"id":227},"when-youll-hear-this","When You'll Hear This",[16,230,231],{},"\"The login form is vulnerable to SQL injection.\" \u002F \"Always use parameterized queries to prevent SQL injection.\"",[233,234,235],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":41,"searchDepth":55,"depth":55,"links":237},[238,239,240,241],{"id":13,"depth":55,"text":14},{"id":26,"depth":55,"text":27},{"id":33,"depth":55,"text":34},{"id":227,"depth":55,"text":228},"security","SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.","intermediate","md","s",{},"\u002Fterms\u002Fs\u002Fsql-injection",[250,251,252,253,254],"Command Injection","OWASP Top 10","Sanitization","Input Validation","XSS",{"title":5,"description":243},{"changefreq":257,"priority":258},"weekly",0.7,"terms\u002Fs\u002Fsql-injection","XR4tXm-26IxnUMcTJjb7Z_bLJM4UT1yfmS_3YY89RKs",[262,265,269,272,275],{"title":250,"path":263,"acronym":6,"category":242,"difficulty":244,"description":264},"\u002Fterms\u002Fc\u002Fcommand-injection","Command injection is like SQL injection but worse — instead of attacking your database, the hacker injects shell commands that run on your actual server.",{"title":253,"path":266,"acronym":6,"category":242,"difficulty":267,"description":268},"\u002Fterms\u002Fi\u002Finput-validation","beginner","Input validation is checking that user input is what you expect before using it.",{"title":251,"path":270,"acronym":6,"category":242,"difficulty":267,"description":271},"\u002Fterms\u002Fo\u002Fowasp-top-10","The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.",{"title":252,"path":273,"acronym":6,"category":242,"difficulty":267,"description":274},"\u002Fterms\u002Fs\u002Fsanitization","Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.",{"title":254,"path":276,"acronym":254,"category":242,"difficulty":244,"description":277},"\u002Fterms\u002Fx\u002Fxss","XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.",1776518310161]