SQL Injection Prevention

nice to see people are still oblivious to sql injection and using string interpolation instead of prepared statements.

Am I the only one that finds it ridiculous that the way to query for data in SQL is by passing a string?

Don't parameterized queries provide all the safety one might need?

It's 2025 why are you gluing SQL strings? Don't even use it as an example!

Author is confusing prepared statements with parameterized queries/escaping in one of the first points. Prepared statements are not related to sql injections, ie. you can build them from interpolated strings as well.

For every person that gets SQL strong concatenation right 20 get it wrong. And there are simple and safe ways to write arbitrary SQL queries without using concatenation. Parmeterized queries are available everywhere. There is a reason we tell everyone not to do it and that reason is that it’s dangerous and almost everyone screws it up. I have found your case to be the exception in 13 years as an infosec researcher and consultant.

People are still constructing SQL statements using user provided data? Have they never used prepared statements before?

honestly, use prepared statements...You get the same benefit of "template literals" but the data and query are separated at the DB level. The DB knows what is data and what is query therefore any attempt at escaping from SQL will be quashed there.

If you’re just worried about injection, you just need to use bound parameters instead of string interpolation. Boom, avoided at the database driver level even with plain sql. I admit though that some cases of string interpolation can be harder to catch in your code than when using ORMs.

Yup. And, if you're writing anything that talks to a database, use a parameterized statement (sometimes called a prepared statement) instead of just concatenating strings. You will blow it if you concatenate strings and that's what we call SQL injection.