[{"data":1,"prerenderedAt":249},["ShallowReactive",2],{"blog-glossary/sql-injection":3},{"id":4,"title":5,"body":6,"category":225,"date":226,"dateModified":226,"description":227,"draft":228,"extension":229,"faq":230,"featured":228,"headerVariant":234,"image":235,"keywords":235,"meta":236,"navigation":237,"ogDescription":238,"ogTitle":235,"path":239,"readTime":240,"schemaOrg":241,"schemaType":242,"seo":243,"sitemap":244,"stem":245,"tags":246,"twitterCard":247,"__hash__":248},"blog/blog/glossary/sql-injection.md","What is SQL Injection? Database Security Guide",{"type":7,"value":8,"toc":212},"minimark",[9,16,21,24,36,39,45,48,60,67,71,74,107,116,120,125,128,139,143,146,152,156,159,181,200],[10,11,12],"tldr",{},[13,14,15],"p",{},"SQL injection is when attackers insert malicious database commands through your app's input fields. If you build SQL queries by concatenating user input, attackers can manipulate those queries to read, modify, or delete your entire database. The fix is simple: use parameterized queries or an ORM like Prisma. These treat user input as data, never as SQL commands.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"Imagine a login form that checks credentials like this:",[25,26,28],"prompt-box",{"title":27},"Vulnerable code",[13,29,30,31,35],{},"const query = ",[32,33,34],"code",{},"SELECT * FROM users   WHERE email = '${email}'   AND password = '${password}'",";",[13,37,38],{},"A normal user enters their email and password. But an attacker enters this as the password:",[25,40,42],{"title":41},"Malicious input",[13,43,44],{},"' OR '1'='1",[13,46,47],{},"The resulting query becomes:",[25,49,51],{"title":50},"Injected query",[13,52,53,54,59],{},"SELECT * FROM users\nWHERE email = '",[55,56,58],"a",{"href":57},"mailto:user@example.com","user@example.com","'\nAND password = '' OR '1'='1'",[13,61,62,63,66],{},"Since ",[32,64,65],{},"'1'='1'"," is always true, this returns all users. The attacker just bypassed authentication.",[17,68,70],{"id":69},"what-attackers-can-do","What Attackers Can Do",[13,72,73],{},"SQL injection is in the OWASP Top 10 and has been responsible for some of the largest data breaches in history. Attackers can:",[75,76,77,85,91,101],"ul",{},[78,79,80,84],"li",{},[81,82,83],"strong",{},"Read data:"," Extract usernames, passwords, credit cards, personal info",[78,86,87,90],{},[81,88,89],{},"Modify data:"," Change prices, grant admin access, alter records",[78,92,93,96,97,100],{},[81,94,95],{},"Delete data:"," ",[32,98,99],{},"DROP TABLE users;"," destroys everything",[78,102,103,106],{},[81,104,105],{},"Access server:"," Some databases allow executing system commands",[108,109,110],"warning-box",{},[13,111,112,115],{},[81,113,114],{},"Real impact:"," SQL injection attacks cost businesses millions per incident. Never trust user input in SQL queries.",[17,117,119],{"id":118},"how-to-prevent-sql-injection","How to Prevent SQL Injection",[121,122,124],"h3",{"id":123},"_1-use-parameterized-queries","1. Use Parameterized Queries",[13,126,127],{},"Pass user input as parameters, not as part of the SQL string:",[25,129,131],{"title":130},"Safe: Parameterized query",[13,132,133,134,138],{},"const result = await client.query(\n'SELECT * FROM users WHERE email = $1 AND password = $2',\n",[135,136,137],"span",{},"email, hashedPassword","\n);",[121,140,142],{"id":141},"_2-use-an-orm","2. Use an ORM",[13,144,145],{},"ORMs like Prisma, Drizzle, and Sequelize use parameterized queries automatically:",[25,147,149],{"title":148},"Safe: Prisma ORM",[13,150,151],{},"const user = await prisma.user.findUnique({\nwhere: { email: email }\n});\n// Prisma handles parameterization internally",[121,153,155],{"id":154},"_3-avoid-raw-queries-with-user-input","3. Avoid Raw Queries with User Input",[13,157,158],{},"Most ORMs offer raw query methods. If you use them, be careful to still use parameters.",[160,161,162,169,175],"faq-section",{},[163,164,166],"faq-item",{"question":165},"What is the best way to prevent SQL injection?",[13,167,168],{},"Use parameterized queries (also called prepared statements). Instead of building SQL strings with user input, pass values as parameters. ORMs like Prisma, Drizzle, and Sequelize handle this automatically. Never use string concatenation or template literals to build SQL queries with user data.",[163,170,172],{"question":171},"Does using an ORM protect against SQL injection?",[13,173,174],{},"Yes, ORMs like Prisma, Drizzle, TypeORM, and Sequelize use parameterized queries by default. However, most ORMs also offer raw query methods that can be vulnerable if misused. Always use the ORM's built-in query builders rather than raw SQL with user input.",[163,176,178],{"question":177},"Can SQL injection delete my entire database?",[13,179,180],{},"Yes. An attacker can inject commands like DROP TABLE or DELETE FROM. They can also read sensitive data, modify records, or even gain access to the underlying server in some cases. SQL injection is consistently rated as one of the most critical web vulnerabilities.",[182,183,184,190,195],"related-articles",{},[185,186],"related-card",{"description":187,"href":188,"title":189},"The broader category of attacks","/blog/glossary/injection","Injection Attacks",[185,191],{"description":192,"href":193,"title":194},"Cleaning user input","/blog/glossary/sanitization","Sanitization",[185,196],{"description":197,"href":198,"title":199},"Another injection attack type","/blog/glossary/xss","XSS",[201,202,205,209],"cta-box",{"href":203,"label":204},"/","Start Free Scan",[17,206,208],{"id":207},"check-your-queries","Check Your Queries",[13,210,211],{},"Scan your codebase for SQL injection vulnerabilities.",{"title":213,"searchDepth":214,"depth":214,"links":215},"",2,[216,217,218,224],{"id":19,"depth":214,"text":20},{"id":69,"depth":214,"text":70},{"id":118,"depth":214,"text":119,"children":219},[220,222,223],{"id":123,"depth":221,"text":124},3,{"id":141,"depth":221,"text":142},{"id":154,"depth":221,"text":155},{"id":207,"depth":214,"text":208},"glossary","2026-01-14","Learn what SQL injection attacks are, how they work, and how to prevent them with parameterized queries. Essential security knowledge for developers.",false,"md",[231,232,233],{"question":165,"answer":168},{"question":171,"answer":174},{"question":177,"answer":180},"green",null,{},true,"SQL injection lets attackers manipulate your database. Learn how to prevent it.","/blog/glossary/sql-injection","5 min read","[object Object]","DefinedTerm",{"title":5,"description":227},{"loc":239},"blog/glossary/sql-injection",[],"summary_large_image","hOJY4bO33N-vP9B_3_3JvwOg14M2aPTEGOniY9_xrrU",1775843921505]