Example (Python/psycopg2): cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))
If you're building an application, you should never let user input go directly into a database query. Instead, use these industry-standard defenses: Example (Python/psycopg2): cursor
Ensure your database user account only has the permissions it absolutely needs (e.g., a web app shouldn't have permission to drop tables). : This is a comment operator in SQL
: This attempts to combine the results of the original legitimate database query with a new query controlled by the attacker. If the number of NULL s doesn't match
: This is a comment operator in SQL. It tells the database to ignore the rest of the original query, preventing errors from trailing code. How to Prevent This
: The attacker uses NULL values to figure out exactly how many columns the original table has. If the number of NULL s doesn't match the original column count, the database usually throws an error.