Advertisement
String-concatenated SQL is vulnerable. Parameterized queries pass values separately to the driver.
What you're seeing
The fix has been known for 25 years and still ships every year. Vulnerable code concatenates user
input into the SQL string. Attacker input like ' OR '1'='1 changes the query meaning.
Parameterized queries send the query and values separately. The database driver treats values as data — never SQL. No escape rules to get wrong. Every modern driver supports this; use it.
★ KEY TAKEAWAY
Concatenated SQL = vulnerable. Parameterized queries = safe. The fix has been known for 25 years and still ships every year.
▶ WHAT TO TRY
- Click Try injection — watch the vulnerable query get hijacked.
- The parameterized version treats the input as DATA, not SQL.