This is the gold standard. Instead of building a query string with user input, you use placeholders ( ? ). The database treats the input strictly as data, never as executable code.
The attacker isn't trying to delete data yet; they are trying to "fingerprint" the database. This is the gold standard
like usernames, hashed passwords, or emails. How to Prevent It The database treats the input strictly as data,
The snippet you provided is a classic example of an attack. How to Prevent It The snippet you provided
It uses functions like CONCAT and GROUP BY to intentionally trigger a duplicate-key error. The database's error message will then "leak" the information hidden inside the query (in this case, the results of the SELECT 1 or version info) back to the attacker's screen.
Only allow the types of characters you expect. If a user is searching for a "Keyword," they probably don't need to use parentheses or semicolons.