What is SQL injection and how do you prevent it?
SQL injection is a vulnerability where an attacker supplies input that is interpreted as SQL syntax rather than data, allowing them to manipulate queries, bypass authentication, exfiltrate data, or destroy database contents.
The root cause is string concatenation of user input into SQL queries. Consider: `query = "SELECT * FROM users WHERE username='" + username + "'"`. If the attacker submits `' OR '1'='1`, the query becomes `WHERE username='' OR '1'='1'` — which is always true and returns all users. With `'; DROP TABLE users; --`, they can append destructive statements.
Attack classes: authentication bypass (as above), data exfiltration (UNION-based injection to read other tables), blind SQL injection (boolean or time-based — infer data character by character when output isn't returned), and second-order injection (malicious payload stored in the DB and used in a later query).
The primary prevention is parameterized queries (prepared statements). The query structure is compiled separately from the data values, and the database driver handles proper escaping. In Python with psycopg2: `cursor.execute("SELECT * FROM users WHERE username = %s", (username,))`. The second argument is always treated as data, never as SQL syntax — even if it contains quotes, semicolons, or SQL keywords. This is not string formatting; the placeholder mechanism is separate from the query text.
ORMs like SQLAlchemy and Django ORM use parameterized queries internally, so standard ORM usage is safe. The danger reappears when using raw SQL within ORMs — `session.execute(text(f"WHERE name = '{name}'"))` is unsafe; `session.execute(text("WHERE name = :name"), {"name": name})` is safe.
Additional defenses in depth: least-privilege database accounts (the app user shouldn't have DROP or admin privileges), input validation (reject unexpected characters for structured inputs like IDs), stored procedures with parameterization, and WAFs as a backstop (not a substitute). ORMs reduce surface area but don't eliminate risk from raw queries or dynamic order-by clauses.
SQLMap is the canonical automated tool for detecting and exploiting SQL injection. Running it against your own app in a test environment is a standard audit step. OWASP lists SQLi as part of the A03:2021 Injection category.
Correctly explains the mechanism (unsanitized input concatenated into SQL), gives a concrete example of the attack, and explains parameterized queries as the primary prevention.
All of the above plus: distinguishes multiple attack types (authentication bypass, data exfiltration, blind SQLi), explains why parameterized queries work mechanically (query structure compiled separately), discusses ORM safety and the raw query trap, and mentions defense-in-depth (least privilege, input validation).
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment