12 · Databases & SQL

SQL Injection

Attack via untrusted SQL text

A vulnerability where user input is concatenated into SQL and executed as code. Parameterized queries / bound parameters are the usual defense.

Concrete example

Building `"SELECT * FROM users WHERE id = " + userInput` is unsafe; use bound parameters instead.

Why it matters

One of the first security checks on any agent-written database code.