Why is SQL injection still a thing?

peledzohar profile image Zohar Peled ・1 min read

I've just published Back to basics: SQL Injection over on What the # do I know?.

It's not that I think the already existing articles and posts about SQL injection aren't good enough, but because I've seen way too many questions on stackoverflow lately with vulnerable code - and I find it amazing (in a bad way) that this is still a problem today.

I mean, there is an easy-to-use 100% bullet proof solution to this problem for more than two decades now - so why hasn't this threat been eradicated yet?

In this post I summarize the following topics:

  • What is SQL Injection?
  • How does this work?
  • How can you write safe SQL?
  • How do parameters prevents SQL Injection?


markdown guide

I guess some of the problem is that people are introduced to SQL as "a bunch of text we send to a server somewhere to get data" and they're also introduced to "you can build SQL strings". Logically, what flows is "to get filter data (and other data) into sql queries, use string concatenations"

Sometimes that's viable; sometimes we can use in-line quoting to get where we want; but yes: we should have been introduced to SQL as a secondary language from the start, ie how to interact with SQL-based databases from another language where parameters are best method for getting dynamic data into queries.

Also, I guess SQL is difficult enough because it requires "set thinking" over "iterative thinking", so that's already a lot for people to deal with (: