SQL Injection Prevention Techniques

sql injection prevention techniques
sql injection prevention techniques

We discuss here some SQL injection prevention techniques with SQL injection types also.

An SQL injection is a class of code injection attacks, in which data provided by the user is included in a SQL query in such a way that part of the user’s input is treated as SQL code.

SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements.

SQL injection techniques may differ, but they all exploit a single vulnerability in the application.
Incorrectly validated or not validated string literals are concatenated into a dynamic SQL statement and interpreted as code by the SQL engine.

Types of SQL Injection

Blind or Inferential
Boolean Based: Query to get true and false value until not find the desired result like matching usernames.
Time-Based: Giving time delay to capture the result.

In-band SQL Injection

This occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.
Error Based: Retrieving information from DB errors, vary DB to DB
Union Based: It is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.


In this case, the attacker will provide an SQL injection that will get stored and executed by a separate behavior of the database system.

7 SQL injection prevention techniques

1 Parameterized Statements or query eg.
Bad: “SELECT * from users where username + “ ‘ uname’“”;
Good : SELECT * from users where username = ?, email

Using sprintf or ORM is a good way to querying with DB.

2 Beware of Stored Procedures(Part of ORM Injections)

Wrong: User.where(“name = ‘“+ name + “‘”)
Right: User.find_by_name(name)

Always use parameterized stored procedures

3 Escaping User Inputs
eg. in search box codes should not be allowed

4 Sanitizing the user inputs
eg. echo sanitize_email(s tiwari@gmail.com)

Whitespace should not present DB

5 DB error should not be displayed to users
eg. Syntax error near clients ‘ like errors should not be displayed to users

6 Errors should be logged in the file.

7 DB should have the least privilege.

About Sachin Tiwari 81 Articles
I am a software engineer, and have an interest in web security or cybersecurity, love to learn in website security topic and sharing with others

Be the first to comment

Leave a Reply