SQL injection
What is SQL injection?
SQL injection is a vulnerability in which an attacker alters the meaning of a database query by supplying input that gets interpreted as SQL code rather than as data. It occurs whenever an application builds queries by concatenating user input into a SQL string. Because the database cannot tell which parts of the string came from the developer and which from the user, carefully crafted input can change the query’s logic: bypassing a login check, reading other users’ records, dumping entire tables, or in some configurations writing files and executing commands. It has appeared in the OWASP Top Ten in every edition, decades after the fix became standard.
How it shows up in real code
The vulnerable pattern is one line of string building:
db.query("SELECT * FROM users WHERE email = '" + req.body.email + "'");Submitting ' OR '1'='1 as the email turns the WHERE clause into a condition that is always true, returning every row. Modern ORMs make injection rarer but not extinct: raw-query escape hatches (rawQuery, whereRaw, string-built ORDER BY clauses) reintroduce the same flaw, and AI-generated code reproduces the concatenation pattern with confident regularity.
The fix
The reliable defense is parameterized queries (prepared statements): the query structure is sent to the database separately from the values, so input can never be parsed as SQL.
db.query("SELECT * FROM users WHERE email = ?", [req.body.email]);Input validation and least-privilege database accounts are worthwhile layers on top, but they are supplements, not substitutes. Escaping input by hand is fragile and should be treated as a bug in itself.
Why it matters in a code audit
Injection is a high-value audit target because it is both catastrophic and mechanical to find: an auditor greps for query construction, isolates every raw-SQL call site, and traces whether user input can reach one. A single overlooked concatenation in an aging admin endpoint is a classic finding. It is also a good indicator species: where injection survives, its cousins XSS and IDOR are usually nearby. A practical checklist lives in the SQL injection and input validation checklist.
A free code audit traces your query paths and flags any that trust user input.
Free · no strings shown later
Get your free code audit
A repo URL and two minutes of your time. A Webisoft engineer sends back written findings (security, tech debt, performance) with file-and-line specifics.
Request my free audit