{ "slug": "sql_injection", "term": "SQL Injection", "category": "security", "difficulty": "intermediate", "short": "Unsanitised user input inserted directly into a SQL query, letting attackers read, modify, or delete database data.", "long": "SQL Injection occurs when user-supplied data is concatenated into a SQL statement without parameterisation. An attacker can close the intended query early and append their own SQL — extracting every row in the database, bypassing login checks, or calling destructive commands. It is consistently the most exploited web vulnerability. The fix is always prepared statements with bound parameters; input sanitisation alone is not sufficient.", "aliases": [ "SQLi", "SQL attack", "database injection" ], "tags": [ "owasp-top10", "injection", "database", "cwe-89" ], "misconception": "Escaping quotes is sufficient protection. It isn't — prepared statements with parameterised queries are the only reliable defence, because escaping is encoding-dependent and easy to get wrong.", "why_it_matters": "SQL injection is the most exploited web vulnerability — a single unsanitised input can expose an entire database, bypass authentication, or destroy data. Parameterised queries cost nothing to implement and eliminate the risk entirely.", "common_mistakes": [ "Using string escaping (addslashes, mysql_real_escape_string) instead of prepared statements — escaping is bypassable.", "Parameterising values but dynamically concatenating table or column names into queries.", "Assuming an ORM makes you immune — raw query methods like DB::statement() still allow injection.", "Forgetting second-order injection: safely stored input can re-enter a query unsafely later." ], "when_to_use": [], "avoid_when": [], "related": [ "prepared_statement", "pdo", "mysqli", "bind_param" ], "prerequisites": [ "pdo", "prepared_statement", "input_validation" ], "refs": [ "https://owasp.org/www-community/attacks/SQL_Injection", "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "https://cwe.mitre.org/data/definitions/89.html" ], "bad_code": "$id = $_GET['id'];\n$users = $db->query(\"SELECT * FROM users WHERE id = $id\");", "good_code": "$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');\n$stmt->execute([':id' => (int) $_GET['id']]);\n$user = $stmt->fetch();", "quick_fix": "Replace $db->query(\"...{$var}\") with $pdo->prepare('...:p') + execute([':p'=>$var])", "severity": "critical", "effort": "low", "created": "2026-03-13", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/sql_injection", "html_url": "https://codeclaritylab.com/glossary/sql_injection", "json_url": "https://codeclaritylab.com/glossary/sql_injection.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[SQL Injection](https://codeclaritylab.com/glossary/sql_injection) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/sql_injection" } } } }