SQL Injection

SQL injection occurs when user input is concatenated directly into SQL queries without proper sanitization or parameterization. An attacker can craft input that changes the query's logic — extracting all user records, bypassing authentication, modifying data, or even deleting tables. Despite being one of the oldest and most well-known vulnerabilities (first documented in 1998), SQL injection remains in the OWASP Top 10 because developers — and AI code generators — keep making the same mistake. The fix is straightforward: use parameterized queries or prepared statements, never string concatenation. ORMs like Prisma and SQLAlchemy handle this by default, but AI tools sometimes generate raw queries that bypass these protections.