Security & Networking

SQL Injection Prevention

Preventing SQL injection attacks with prepared statements.

SQL Injection Example

# Vulnerable code (NEVER DO THIS)
const query = `SELECT * FROM users WHERE id = ${userId}`;

# Attack payload
userId = "1 OR 1=1"
# Returns ALL users

Prepared Statements (Node.js)

# Safe - using placeholders
const query = "SELECT * FROM users WHERE id = ?";
db.query(query, [userId], (err, results) => {
    # userId is safely escaped
});

# Named parameters
const query = "SELECT * FROM users WHERE email = :email";

PDO Prepared (PHP)

# Safe PDO query
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);
$user = $stmt->fetch();

Python Parameterized

# Safe - using parameters
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

# Multiple parameters
query = "INSERT INTO users (name, email) VALUES (%s, %s)"
cursor.execute(query, (name, email))

ORM (Safe)

# Sequelize (Node.js)
User.findOne({ where: { email: userEmail } });

# Django ORM (Python)
User.objects.get(email=user_email)

# Eloquent (Laravel)
User::where("email", $email)->first();

Input Validation

# Whitelist validation
const allowedFields = ["name", "email", "age"];
if (!allowedFields.includes(sortBy)) {
    throw new Error("Invalid field");
}

Related References

Security & Networking

API Security Best Practices

Securing REST APIs with authentication and rate limiting.
Security & Networking

CORS Basics

Cross-Origin Resource Sharing configuration and headers.
Security & Networking

CSRF & XSS Prevention

Preventing Cross-Site Request Forgery and Cross-Site Scripting attacks.