SQL – SQL Injection
Understand SQL injection attacks — what they are, how they work, and how to prevent them completely.
Table of Contents
SQL injection is the most common and damaging database attack. It occurs when user input is concatenated directly into a SQL query without sanitization, allowing an attacker to inject malicious SQL code. A single login form vulnerable to injection can expose an entire database containing millions of records.
The classic example: a login query built as "SELECT * FROM users WHERE username = '" + input + "'" can be defeated by entering ' OR '1'='1 as the username — the injected OR '1'='1 always evaluates to true, bypassing authentication entirely.
The fix: Parameterized Queries
# VULNERABLE (never do this)
query = f"SELECT * FROM users WHERE username = '{user_input}'"
# SAFE (parameterized)
query = "SELECT * FROM users WHERE username = ?"
cursor.execute(query, (user_input,))
The ? placeholder is filled by the driver with proper escaping.
Try It Yourself — Interactive SQL Editor
Edit the query below and click Run Query ▶ to see live results powered by SQLite running directly in your browser.
Key Points
- SQL injection exploits unparameterized dynamic queries
- ALWAYS use parameterized queries / prepared statements
- Never concatenate user input directly into SQL strings
- Input sanitization alone is insufficient — parameterization is the only safe defense
Pro Tip from CodesCompiler: The best way to learn SQL is to break things intentionally — modify the query above, change the WHERE conditions, try different columns. Every error teaches you something the docs cannot.
In the next lesson, we continue exploring SQL’s powerful feature set to build your database mastery.