Sign in to save

Bookmark this page so you can find it later.

Sign in to save

Bookmark this page so you can find it later.

SQL Injection Prevention Reference cheat sheet - grade 11-12

Click image to open full size

Computer Science Grade 11-12

SQL Injection Prevention Reference Cheat Sheet

A printable reference covering SQL injection, unsafe queries, prepared statements, parameter binding, input validation, least privilege, and secure error handling for grades 11-12.

Download PNG

Study as Flashcards

SQL injection is a web security problem that happens when user input is treated as part of a database command. This cheat sheet helps students recognize unsafe query construction and understand why string concatenation is dangerous. It also shows the main defenses used in real applications, especially prepared statements and parameterized queries. These skills matter because databases often store passwords, personal data, grades, orders, and other sensitive information.

Key Facts

  • SQL injection happens when untrusted input changes the meaning of a SQL command, such as input ' OR '1'='1 making a login condition always true.
  • Unsafe query construction often looks like "SELECT * FROM users WHERE name = '" + userName + "'", because userName can contain SQL code.
  • A prepared statement separates the SQL structure from the data, using a placeholder such as SELECT * FROM users WHERE name = ?.
  • Parameter binding sends user input as a value, so input like ' OR '1'='1 is treated as text instead of executable SQL.
  • Input validation should check allowed formats, lengths, and ranges, such as allowing only numbers for a user_id field.
  • Escaping quotes is not a complete defense because it is easy to apply incorrectly and may fail with different databases or encodings.
  • Least privilege means the application database account should only have the permissions it needs, such as SELECT and INSERT but not DROP TABLE.
  • Safe error handling hides detailed database errors from users while logging technical details for developers.

Vocabulary

SQL injection
A security attack where malicious input changes a SQL query so the database runs unintended commands.
Prepared statement
A precompiled SQL command that uses placeholders so data values are supplied separately from the query structure.
Parameterized query
A database query that uses parameters for user input instead of building the command with string concatenation.
Input validation
The process of checking that input matches the expected type, length, format, and allowed values before using it.
Least privilege
A security rule that gives each account or program only the minimum permissions needed to do its job.
Error handling
The way a program responds to failures, including showing safe messages to users and recording useful details for developers.

Common Mistakes to Avoid

  • Building SQL with string concatenation, because attacker input can become part of the command instead of remaining data.
  • Relying only on client-side validation, because attackers can bypass browser checks and send requests directly to the server.
  • Escaping quotes as the only protection, because escaping can be missed, implemented incorrectly, or fail in unusual database settings.
  • Using a database account with administrator permissions, because a successful injection could then read, change, or delete far more data.
  • Showing raw database error messages to users, because errors can reveal table names, column names, query structure, and other attack clues.

Practice Questions

  1. 1 A login query is built as SELECT * FROM users WHERE username = '" + input + "'. What unsafe SQL might be produced if input is ' OR '1'='1?
  2. 2 Rewrite this unsafe query using a placeholder: SELECT * FROM products WHERE product_id = " + productId.
  3. 3 A form field for age receives the value 17; DROP TABLE users;. Name two defenses that should prevent this from becoming a successful SQL injection.
  4. 4 Why do prepared statements protect against SQL injection better than simply checking whether the input contains the word SELECT?