SQL injection is over 25 years old, but it still ranks among the top vulnerabilities. Every developer should know how to defend against it.

Prepared statements in various languages¶

Python + psycopg2¶

cursor.execute(“SELECT * FROM users WHERE email = %s”, (email,))

Node.js + pg¶

const result = await pool.query(‘SELECT * FROM users WHERE email = $1’, [email]);

Java + JDBC¶

PreparedStatement stmt = conn.prepareStatement(“SELECT * FROM users WHERE email = ?”); stmt.setString(1, email);

Go + database/sql¶

row := db.QueryRow(“SELECT * FROM users WHERE email = $1”, email)

C# + Dapper¶

var user = conn.QueryFirst(“SELECT * FROM users WHERE email = @Email”, new { Email = email });

ORM layer¶

SQLAlchemy¶

user = session.query(User).filter(User.email == email).first()

Prisma¶

const user = await prisma.user.findUnique({ where: { email } });

Entity Framework¶

var user = context.Users.FirstOrDefault(u => u.Email == email);

Defense in Depth¶

1. Prepared statements (primary defense)
2. ORM with parameterization
3. Input validation (whitelist)
4. Least privilege DB accounts
5. WAF rules
6. SAST scanning

Key Takeaway¶

Prepared statements are the unbeatable defense. Use them always, in all languages, without exception.