๐ Never Concatenate User Input into SQL
SQL injection is #1 web vulnerability. Parameterized queries prevent it. Always use parameters for user input.
โ Vulnerable (SQL Injection)
string query = "SELECT * FROM users WHERE email = '" + email + "'"; var cmd = new SqlCommand(query, connection); // User input: admin' OR '1'='1 // Query becomes: SELECT * FROM users WHERE email = 'admin' OR '1'='1' // All users returned!
โ Parameterized (Safe)
string query = "SELECT * FROM users WHERE email = @email";
var cmd = new SqlCommand(query, connection);
cmd.Parameters.AddWithValue("@email", email);
// Email treated as data, not code
// Safe from injection
๐ฏ Parameterized Queries Examples
// SQL Server
string query = "INSERT INTO Users (Name, Email) VALUES (@name, @email)";
using var cmd = new SqlCommand(query, connection);
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@email", email);
// PostgreSQL (Npgsql)
string query = "INSERT INTO Users (Name, Email) VALUES (@name, @email)";
using var cmd = new NpgsqlCommand(query, connection);
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@email", email);
// MySQL
string query = "INSERT INTO Users (Name, Email) VALUES (@name, @email)";
using var cmd = new MySqlCommand(query, connection);
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@email", email);
// Entity Framework (safe by default)
var user = await context.Users
.Where(u => u.Email == email)
.FirstOrDefaultAsync();
๐ก Best Practices
- Always use parameterized queries for user input
- Use ORM (Entity Framework, Dapper) for safety
- Validate and sanitize input
- Use stored procedures with parameters
- Regular security audits
“SQL injection is preventable. Parameterized queries are essential. Never concatenate user input into SQL.”
