← Lessons

quiz vs the machine

Gold1350

Security

SQL injection & parameterization

The oldest trick in the book, and the one-line fix.

5 min read · core · beat Gold to climb

The vulnerability

When user input is concatenated straight into a SQL string, an attacker can change the query's meaning.

The fix: parameterized queries

Never build SQL by concatenation. Use placeholders so the database treats input strictly as a value, never as code:

db.query("SELECT * FROM users WHERE name = ?", [userInput])

The driver sends the query plan and the data separately, so input can't alter the structure.

Key idea

Injection is a special case of a general rule: never mix code and untrusted data in the same string. The same lesson applies to shell commands, HTML (XSS), and LLM prompts.

Check yourself

Answer to earn rating on the learn ladder.

1. What's the correct defense against SQL injection?

2. SQL injection is a special case of which general rule?