OpenClaw LaunchOpenClaw Launch
🛡️

SQL Injection Prevention

Verified

by Community

Detects SQL injection attack vectors and implements prevention measures including parameterized queries, ORM best practices, input validation, stored procedures, least-privilege database accounts, and WAF rules.

sql-injectionsecuritydatabasepreventionbackend

SQL Injection Prevention

Detects SQL injection vulnerabilities and implements comprehensive prevention measures across the application stack. Covers attack vector identification (classic, blind, time-based, second-order), parameterized queries and prepared statements, ORM security best practices, input validation and sanitization, stored procedure security, least-privilege database accounts, and web application firewall (WAF) rule configuration.

Usage

Provide code samples that interact with a database, or describe your application's data access patterns and tech stack. Specify whether you need a security audit of existing code or guidance for building new features securely. The skill identifies vulnerabilities and provides secure code replacements with explanations of each attack vector.

Examples

  • "Audit this Node.js Express route for SQL injection: it builds a query with user input from req.query"
  • "Convert these string-concatenated SQL queries in Python to parameterized queries using psycopg2"
  • "Review this Drizzle ORM usage for potential raw SQL injection through dynamic where clauses"
  • "Identify second-order SQL injection risks where user input is stored and later used in queries"

Guidelines

  • ALWAYS use parameterized queries or prepared statements — never concatenate user input into SQL strings
  • Use your ORM's query builder (Drizzle, Prisma, SQLAlchemy) for dynamic queries instead of raw SQL
  • When raw SQL is unavoidable, use the ORM's tagged template or parameter binding (sql...${param}...)
  • Validate and whitelist dynamic column names, table names, and sort directions — these cannot be parameterized
  • Apply input validation (type, length, format) as defense-in-depth, but never as the sole protection
  • Use least-privilege database accounts: the app should not connect as a superuser or database owner
  • Enable query logging in development to detect queries with concatenated user input during code review
  • Test for SQL injection with tools like sqlmap in staging environments as part of your security testing pipeline

More Data & Analytics Skills

Add Analytics

Add Google Analytics 4 tracking to any project.

Amplitude Automation

Automate Amplitude tasks via Rube MCP.

Canva

Create, export, and manage Canva designs via the Connect API.

Ceorater

Get institutional-grade CEO performance analytics for S&P 500.