Security

What is SQL Injection?

An attack where malicious database commands are inserted through input fields, allowing attackers to read, modify, or delete your entire database.

In plain English

Imagine a receptionist who follows any instruction written on a visitor form. You write 'Give me access to all filing cabinets' on the form, and the receptionist does it because they process the form without questioning its contents. SQL injection works the same way — your app processes database commands from user input without checking if they're safe.

How it works

When your code builds database queries by concatenating user input (like 'SELECT * FROM users WHERE email = ' + userInput), an attacker can add SQL commands to that input. For example, entering ' OR 1=1 -- as an email address changes the query to return all users. More destructive payloads can drop tables, export data, or create admin accounts.

How to prevent it

Use parameterized queries or prepared statements — these treat user input as data, never as commands. If you use an ORM like Prisma, Drizzle, or SQLAlchemy, you're protected by default. Never build queries with string concatenation or template literals. Validate input types (if you expect a number, reject non-numeric input).

Why AI-built apps are vulnerable

AI coding tools sometimes generate raw SQL queries with string interpolation for simplicity. This is especially common in Python apps with direct database connections and in Node.js apps using raw database drivers instead of ORMs.

Frequently asked questions

Am I vulnerable if I use Prisma or Supabase?

ORMs like Prisma use parameterized queries by default, protecting you from SQL injection. Supabase's JavaScript client also uses parameterized queries. You're only vulnerable if you use raw SQL methods (.rawQuery, rpc with string concatenation) with user input.