Prevent SQL injection attacks using prepared statements, parameterized queries, and input validation. Use when building database-driven applications securely.
Implement comprehensive SQL injection prevention using prepared statements, parameterized queries, ORM best practices, and input validation.
Minimal working example:
// secure-db.js
const { Pool } = require("pg");
class SecureDatabase {
constructor() {
this.pool = new Pool({
host: process.env.DB_HOST,
database: process.env.DB_NAME,
user: process.env.DB_USER,
password: process.env.DB_PASSWORD,
max: 20,
idleTimeoutMillis: 30000,
connectionTimeoutMillis: 2000,
});
}
/**
* ✅ SECURE: Parameterized query
*/
async getUserById(userId) {
const query = "SELECT * FROM users WHERE id = $1";
const values = [userId];
try {
const result = await this.pool.query(query, values);
// ... (see reference guides for full implementation)
Detailed implementations in the references/ directory:
| Guide | Contents |
|---|---|
| Node.js with PostgreSQL | Node.js with PostgreSQL |
| Python with SQLAlchemy ORM | Python with SQLAlchemy ORM |
| Java JDBC with Prepared Statements | Java JDBC with Prepared Statements |
| Input Validation & Sanitization | Input Validation & Sanitization |