> For the complete documentation index, see [llms.txt](https://0xn3va.gitbook.io/application-security-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/sql-injection.md).

# SQL Injection (SQLi)

## Overview

SQL injection (SQLi) is a vulnerability that allows an attacker to interfere with queries that an application makes to its database. It generally allows an attacker to inject SQL and gain the ability to read, modify and delete data.

For example, consider an application that displays products in different categories. The following URL will return a list of products on the `Gifts` category:

```
https://vulnerable-website.local/products?category=Gifts
```

The application makes the following SQL query to retrieve data from a database:

```sql
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
```

The restriction `released = 1` is being used to hide products that are not released. If the `category` variable is directly passed to the SQL query, an attacker can craft the following URL:

```
https://vulnerable-website.local/products?category=Gifts'--
```

This results in the SQL query:

```sql
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
```

Since `--` is a comment in SQL, an attacker can retrieve all products, whether they are released or not.

You can find more details at [PortSwigger Web Security Academy: SQL injection](https://portswigger.net/web-security/sql-injection).

This page contains recommendations for the implementation of protection against SQL injection (SQLi) attacks.

## General

<div align="left"><img src="/files/QJuMWI21M60ZKzo0mFAN" alt=""></div>

* Do **not** use string formatting or concatenation to assemble SQL queries.
* Use prepared statements (or parametrized queries) to assemble SQL queries.

## Prepared statements

<div align="left"><img src="/files/QJuMWI21M60ZKzo0mFAN" alt=""></div>

{% tabs %}
{% tab title="Go" %}
Use a database driver from the following list of available drivers: <https://github.com/golang/go/wiki/SQLDrivers>.

**Example for PostgreSQL**

```go
func handler(w http.ResponseWriter, r *http.Request) {
    userId := r.URL.Query().Get("id")
    if userId != "" {
        rows, err := db.Query("SELECT name FROM users WHERE id = $1", userId)
        // ...
    }
}
```

Remember that placeholders are database specific:

**MySQL**

Placeholder

```sql
WHERE col = ?
```

Example

```go
db.Query("SELECT name FROM users WHERE favorite_fruit = ? OR age BETWEEN ? AND ?", "orange", 64, 67)
```

**PostgreSQL**

Placeholder

```sql
WHERE col = $1
```

Example

```go
db.Query("SELECT name FROM users WHERE favorite_fruit = $1 OR age BETWEEN $2 AND $3", "orange", 64, 67)
```

**Oracle**

Placeholder

```sql
WHERE col = :col
```

Example

```go
stmt, err := conn.Prepare("SELECT name FROM users WHERE favorite_fruit = :1 OR age BETWEEN :2 AND :3")
rows, err := stmt.Query("orange", 64, 67)
```

{% endtab %}
{% endtabs %}

## References

* [OWASP Cheat Sheet Series: SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/sql-injection.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.