1. What is SQL Injection?
- A type of attack where hackers put malicious SQL code into queries.
- Goal: Steal data, modify/delete records, bypass login, or control the database.
Example Attack:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
👉 Always true, so attacker logs in without password!
2. Prevention Techniques
✅ 1. Prepared Statements (Parameterized Queries)
- Best method: Separates SQL code from user input.
String query = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, username);
stmt.setString(2, password);
✅ 2. Stored Procedures
- Predefined queries in DB. Limits attackers from changing query structure.
✅ 3. Input Validation
- Accept only valid formats.
- Example: Username should only allow
[a-zA-Z0-9].
✅ 4. Escape Special Characters
- Use DB functions like
mysqli_real_escape_string()in PHP. - Stops
',--,;from breaking queries.
✅ 5. Web Application Firewall (WAF)
- Blocks malicious requests before they hit DB.
- Example: Cloudflare WAF, ModSecurity.
✅ 6. Limit Database Permissions
- Use least privilege principle.
- Example: Application user can SELECT, INSERT, UPDATE but not DROP.
✅ 7. Use ORMs (Hibernate, SQLAlchemy)
- Automatically handle queries safely.
✅ 8. Disable Error Messages in Production
- Show generic error →
"Something went wrong." - Log real error internally.
✅ 9. Whitelist Input (NOT Blacklist)
- Allow only safe inputs (e.g., only numbers for phone number).
✅ 10. Regular Security Testing
- Use tools like SQLMap, Burp Suite to find vulnerabilities.
3. Quick Revision Table
| Technique | Why it Works |
|---|---|
| Prepared Statements | Separates code & input |
| Stored Procedures | Query structure fixed |
| Input Validation | Blocks bad inputs |
| Escape Characters | Stops query breaking |
| WAF | Blocks malicious requests |
| Limit Permissions | Reduces damage if hacked |
| ORMs | Auto-secure queries |
| Disable Error Messages | Hides DB details |
| Whitelisting | Only safe inputs allowed |
| Security Testing | Finds & fixes weaknesses |
4. Quick Memory Tricks
- Best weapon → Prepared Statements 🛡️
- Rule of Thumb → “Validate early, validate often.”
- Golden Principle → “Least privilege = Best privilege.”
MCQ
1. What is the primary objective of SQL injection attacks?
A. To encrypt the database
B. To execute malicious SQL code to access or manipulate data
C. To perform regular database queries
D. To create backups of the database
Answer: B
2. Which of the following SQL injection prevention techniques uses placeholders for user inputs?
A. Escape special characters
B. Prepared Statements
C. Stored Procedures
D. Object-Relational Mappers (ORMs)
Answer: B
3. What does input validation ensure in the context of SQL injection prevention?
A. It hides error messages from users.
B. It validates query structure.
C. It checks and sanitizes user input to prevent unexpected values.
D. It encrypts the input data.
Answer: C
4. Which of the following is an example of multi-factor authentication?
A. Password only
B. Password and fingerprint
C. Encrypted database connection
D. Stored procedure access
Answer: B
5. How do stored procedures help prevent SQL injection attacks?
A. They encrypt user inputs.
B. They log malicious activities.
C. They define precompiled SQL queries that separate logic from input.
D. They enable direct execution of user inputs.
Answer: C
6. Which of these database user privileges is best for minimizing the impact of SQL injection attacks?
A. Grant full access to all users
B. Use the least privilege principle
C. Allow admin-level access for all queries
D. Disable user account management
Answer: B
7. What is the main advantage of using Object-Relational Mappers (ORMs) in SQL injection prevention?
A. They allow direct database modifications.
B. They generate queries that are immune to injection attacks.
C. They provide detailed error messages.
D. They replace encryption mechanisms.
Answer: B
8. Which tool can be used to test for SQL injection vulnerabilities?
A. SQLAlchemy
B. SQLMap
C. Apache Spark
D. Elasticsearch
Answer: B
9. Why should special characters like ' and -- be escaped in SQL queries?
A. To speed up query execution
B. To enhance database indexing
C. To prevent malicious query termination or manipulation
D. To reduce the size of query results
Answer: C
10. What type of access control involves assigning roles and permissions to users?
A. Attribute-based Access Control (ABAC)
B. Role-based Access Control (RBAC)
C. Discretionary Access Control (DAC)
D. Mandatory Access Control (MAC)
Answer: B
11. Which of the following is NOT a best practice for preventing SQL injection attacks?
A. Use prepared statements
B. Disable detailed error messages in production
C. Allow user input directly in SQL queries
D. Validate user input against whitelisted patterns
Answer: C
12. What is the primary function of a Web Application Firewall (WAF)?
A. Encrypt database queries
B. Block SQL injection attempts in HTTP requests
C. Perform database backups
D. Rewrite all SQL queries automatically
Answer: B
13. What is the role of encryption in SQL injection prevention?
A. It ensures user inputs are sanitized.
B. It secures sensitive data in transit or at rest.
C. It blocks all unauthorized queries.
D. It validates user permissions.
Answer: B
14. Which of these SQL injection prevention techniques works by allowing only predefined valid inputs?
A. Blacklisting
B. Whitelisting
C. Escaping
D. Multi-factor Authentication
Answer: B
15. Why is disabling error messages in production important for SQL injection prevention?
A. It enhances query performance.
B. It prevents attackers from gaining information about the database structure.
C. It reduces the size of the database logs.
D. It simplifies debugging.
Answer: B
16. What does the principle of “least privilege” mean in SQL injection prevention?
A. Users are given the maximum access required for their tasks.
B. Users are granted only the minimum permissions necessary.
C. Only administrators are allowed to access the database.
D. Permissions are ignored for trusted users.
Answer: B
17. What is the purpose of regular penetration testing in database security?
A. To monitor database uptime
B. To identify and fix vulnerabilities like SQL injection
C. To improve query performance
D. To backup sensitive user data
Answer: B
18. Which of these techniques helps secure dynamic SQL queries?
A. Password hashing
B. Prepared statements
C. Token-based authentication
D. Index optimization
Answer: B
19. What is the main drawback of blacklisting techniques for SQL injection prevention?
A. They are too strict in filtering inputs.
B. They can miss new malicious patterns or payloads.
C. They require prepared statements.
D. They are incompatible with ORMs.
Answer: B
20. Which layer of security adds protection beyond SQL injection prevention in code?
A. Hardware firewalls
B. Web Application Firewalls (WAFs)
C. Database indexing
D. Distributed caching
Answer: B