What is SQLi (SQL Injection)?

An attack where attacker-controlled input is interpolated into a SQL query, letting the attacker execute arbitrary SQL.

Full explanation

SQL injection is one of the oldest vulnerabilities and remains in the OWASP Top 10. It happens when user input is concatenated into SQL strings (`SELECT * FROM users WHERE name = '${userInput}'`). The defense is parameterized queries — the database receives the SQL and the values as separate inputs, and user input is never compiled as SQL.

Example

`SELECT * FROM users WHERE email = '${email}'` — attacker submits `' OR 1=1 --` as email. Query becomes `SELECT * FROM users WHERE email = '' OR 1=1 --'`, returning every user.

Related

Guide
SQL injection prevention in Node.js — parametrize everything

FAQ

Does using an ORM prevent SQL injection?

If you stick to the ORM's typed query API, yes. Raw query APIs (Prisma's $queryRawUnsafe, Drizzle's sql.raw, etc.) can still be misused.