DEV Community

Zohar Peled
Zohar Peled

Posted on

1 2

Why is SQL injection still a thing?

I've just published Back to basics: SQL Injection over on What the # do I know?.

It's not that I think the already existing articles and posts about SQL injection aren't good enough, but because I've seen way too many questions on stackoverflow lately with vulnerable code - and I find it amazing (in a bad way) that this is still a problem today.

I mean, there is an easy-to-use 100% bullet proof solution to this problem for more than two decades now - so why hasn't this threat been eradicated yet?

In this post I summarize the following topics:

  • What is SQL Injection?
  • How does this work?
  • How can you write safe SQL?
  • How do parameters prevents SQL Injection?

Top comments (1)

Collapse
 
fluffynuts profile image
Davyd McColl

I guess some of the problem is that people are introduced to SQL as "a bunch of text we send to a server somewhere to get data" and they're also introduced to "you can build SQL strings". Logically, what flows is "to get filter data (and other data) into sql queries, use string concatenations"

Sometimes that's viable; sometimes we can use in-line quoting to get where we want; but yes: we should have been introduced to SQL as a secondary language from the start, ie how to interact with SQL-based databases from another language where parameters are best method for getting dynamic data into queries.

Also, I guess SQL is difficult enough because it requires "set thinking" over "iterative thinking", so that's already a lot for people to deal with (:

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay