Search⌘ K
AI Features
Home
Courses
Building Safer JavaScript Applications

SQL Injection

Understand SQL injection attacks by exploring how unsafe user inputs can manipulate SQL queries in JavaScript applications. Learn to safeguard your databases using prepared statements, parameterized queries, and trusted query builders or ORMs. This lesson equips you to write secure SQL queries and prevent data breaches.

We'll cover the following...

Little Bobby Tables

SQL injection falls under the Injection category (the same category that XSS falls under) in the OWASP Top Ten. This makes sense because, in both cases, the root cause is the same—blindly trusting user-provided data.

SQL injection occurs when hostile data is directly used or concatenated within an SQL statement. The following statement is potentially dangerous because it opens us up to XSS attacks by trusting input that can be directly provided to us by our users:

Javascript (babel-node)
document.querySelector('#search-results').innerHTML = params.get('search');

Compare that to something like this:

Javascript (babel-node)
const query = `SELECT * FROM students WHERE name = '${userName}';`;

Here, we’re using template literals/string interpolation to inject a part of an SQL statement into a larger SQL statement. The userName is clearly intended to be something short and simple like "Fred" or "Sally", but what if the userName happens to be user-provided? The ...