Services Portfolio Team Academy Blog Contact

SQL Injection: How It Works and How to Defend Against It

703 1 min

SQL injection is the manipulation of an SQL query through user-supplied data. Classic example: entering username = ' OR 1=1 -- can grant access to any account. The root problem: data and code are mixed — entered text is always interpreted as code.

Defence: Prepared statements (parameterised queries) — code and data are separated: $stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");. ORMs (Eloquent, Doctrine) typically use prepared statements. Input validation — only the expected format is accepted. Least privilege — the database user should only have the permissions it needs. A Web Application Firewall adds an extra protection layer.

Share