What is SQL injection and how do you prevent it?

Security

The short answer

SQL injection is an attack where an attacker inserts malicious SQL code into user input fields. If the application puts user input directly into SQL queries without sanitizing it, the attacker can read, modify, or delete data from the database. It is one of the oldest and most dangerous web vulnerabilities.

How it works

Imagine a login form that takes a username and sends it to the server:

// Vulnerable server code
const query = `SELECT * FROM users WHERE username = '${username}'`;

If a user types john, the query becomes:

SELECT * FROM users WHERE username = 'john'

That works fine. But if an attacker types ' OR '1'='1, the query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1'

'1'='1' is always true, so this returns all users from the database. The attacker just bypassed the login.

A worse attack could be: '; DROP TABLE users; --

SELECT * FROM users WHERE username = ''; DROP TABLE users; --'

This deletes the entire users table.

How to prevent it

1. Parameterized queries (prepared statements)

This is the number one defense. Instead of putting user input directly in the query, you use placeholders:

// Safe — parameterized query
const query = 'SELECT * FROM users WHERE username = ?';
db.execute(query, [username]);

The database treats the parameter as data, not as SQL code. Even if the user types SQL commands, they are treated as a plain string.

2. Use an ORM

ORMs like Prisma, Sequelize, or TypeORM handle parameterization for you:

// Safe — ORM handles escaping
const user = await prisma.user.findFirst({
  where: { username: username },
});

3. Input validation

Validate and sanitize user input on the server side. If a username should only contain letters and numbers, reject anything else.

4. Principle of least privilege

The database user your application connects with should only have the permissions it needs. If it only reads data, it should not have permission to delete tables.

Common Pitfalls

A common misconception is that SQL injection is only a backend problem. As a frontend developer, you should be aware of it because you are the first line of defense — you handle user input before it reaches the server. While client-side validation alone cannot prevent SQL injection (it can be bypassed), it adds an extra layer and shows security awareness.

Interview Tip

Even though this is primarily a backend topic, frontend interviews at security-conscious companies ask about it. Explain the attack with a simple example (the ' OR '1'='1' trick), then mention parameterized queries as the main defense. Knowing about ORMs and input validation shows you think about the full stack.

Why interviewers ask this

SQL injection has been a top security vulnerability for decades. Interviewers ask about it to see if you understand how user input can be dangerous and what the defenses look like. Even as a frontend developer, understanding injection attacks shows you care about security and can collaborate effectively with backend teams.

Table of Contents