SQL Injection and Security
Protecting Your Database from Malicious Input

Introduction

Imagine a school system where a student can type a command into a login field — and suddenly all marks are wiped from the database. That’s SQL Injection in action — and it’s one of the most dangerous web vulnerabilities. In this tutorial, you’ll learn what it is, how it works, and most importantly, how to stop it.

What is SQL Injection?

SQL Injection is a code injection technique where malicious SQL is inserted into a query via user input. If not properly handled, it can manipulate or expose your entire database.

Basic Scenario – Unsafe Query

Let’s assume a school has a student login system:

SELECT * FROM students
WHERE roll_no = '3' AND password = 'pass123';

This query is generated using user input, like this:

// Pseudo-code (not actual SQL)
"SELECT * FROM students WHERE roll_no = '" + input_roll + "' AND password = '" + input_pass + "'";

SQL Injection in Action

Now imagine this input:

input_roll: 3  
input_pass: ' OR '1'='1

The final query becomes:

SELECT * FROM students
WHERE roll_no = '3' AND password = '' OR '1'='1';

Result: The condition always returns true, and the attacker logs in without a valid password.

Advanced Injection – DROP TABLE

input_roll: 3  
input_pass: pass123'; DROP TABLE students; --

Final SQL:

SELECT * FROM students WHERE roll_no = '3' AND password = 'pass123';
DROP TABLE students;
--'

This deletes the entire student table. Terrifying, right?

How to Prevent SQL Injection

1. Use Prepared Statements (Parameterized Queries)

This is the most effective solution. It separates data from SQL logic.

// In MySQL or PHP using PDO:
$stmt = $conn->prepare("SELECT * FROM students WHERE roll_no = ? AND password = ?");
$stmt->bind_param("is", $roll_no, $password);
$stmt->execute();

2. Validate and Sanitize Input

• Use input types like number or email
• Check length, pattern, and format of input

3. Escape Dangerous Characters

Escape quotes, semicolons, and dashes in input (only when using dynamic SQL — not recommended).

4. Use ORM or Query Builders

Frameworks like Django, Laravel, or Hibernate handle queries securely behind the scenes.

5. Least Privilege Access

The database user used by the app should not have DROP or ALTER rights.

Secure Example with Prepared Statement

// PHP + MySQLi example
$stmt = $conn->prepare("SELECT name FROM students WHERE roll_no = ? AND password = ?");
$stmt->bind_param("is", $roll_no, $password);
$stmt->execute();

Even if someone tries to inject malicious SQL, it will be treated as plain input — not executable code.

Real-World School Use Cases

• Prevent fake login during parent-teacher meetings
• Secure marks upload pages used by staff
• Protect student registration forms from malicious bots

Best Practices Checklist

• Always use prepared statements
• Validate all user inputs
• Never concatenate user input into raw SQL
• Limit DB user privileges
• Use security-aware frameworks

Summary

SQL Injection is simple to perform, but devastating in impact. The good news? It’s also easy to prevent — if you stick to best practices like prepared statements and input validation. In the world of school apps, security is not optional — it protects real student data, real people, and real futures.

What’s Next?

Coming up: SQL Interview Questions — get ready to answer real-world SQL scenarios with confidence and clarity.