Skip to main content

41. SQL Injection (Intro)

SQL Injection (SQLi) occurs when untrusted input is embedded into a database query. Attackers can manipulate queries to read, modify, or delete data.

Insecure Example (string interpolation)

user_id = input("Enter user id: ")
query = "SELECT * FROM users WHERE id = %s" % user_id
cursor.execute(query)  # Dangerous if user_id = "1 OR 1=1"

Secure Example (parameterized queries)

user_id = input("Enter user id: ")
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))  # Parameterized, safe

✅ Lesson: Use parameterized queries / prepared statements. Never build SQL by concatenating raw input.

Insecure Example (string interpolation)
Secure Example (parameterized queries)