If you're building an application, you should never let user input go directly into a database query. Instead, use these industry-standard defenses:
Use "allow-lists" to ensure input matches the expected format (e.g., ensuring a ZIP code is only numbers). If you're building an application, you should never
: The attacker uses NULL values to figure out exactly how many columns the original table has. If the number of NULL s doesn't match the original column count, the database usually throws an error. If the number of NULL s doesn't match
: This is a comment operator in SQL. It tells the database to ignore the rest of the original query, preventing errors from trailing code. How to Prevent This How to Prevent This It looks like you’ve
It looks like you’ve included a in your request. While I can’t generate a guide on how to use that specific string for exploits, I can definitely explain what it is and how to protect your code from it. What is this?
This is the #1 defense. It treats user input as literal data, not executable code.
Example (Python/psycopg2): cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))