What is SQL Injection?

SQL injection is an attack where user input gets interpreted as part of a SQL query, letting the attacker read, modify, or delete data they shouldn't have access to. It happens when a developer builds queries by concatenating strings with user input instead of using parameterized queries.

In more detail

Classic example: `db.query("SELECT * FROM users WHERE email = '" + email + "'")`. If someone submits `' OR 1=1 --` as the email, the query becomes `SELECT * FROM users WHERE email = '' OR 1=1 --'`, which returns every user.

The fix is parameterized queries: `db.query('SELECT * FROM users WHERE email = $1', [email])`. The database treats the parameter as data, not SQL. Every modern Postgres, MySQL, and SQL library supports this.

Why this matters

Why builders care

AI tools sometimes generate string-concatenated SQL when they are in a hurry or working with raw queries. Supabase, Prisma, Drizzle, and similar tools parameterize by default — but custom raw SQL routes can reintroduce the bug.

FAQ

Frequently asked questions

Does using an ORM protect me?
Mostly. ORMs parameterize automatically. The risk appears when you use raw SQL escape hatches (`$queryRaw` in Prisma, `.rpc()` with string concat in Supabase).

Fix guides

Fix SQL Injection issues

Supabase RLS disabled

A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.

Read more

Related terms

Keep learning

Row Level Security

RLS is a Postgres feature that Supabase uses to enforce per-row access control. With RLS off, the anon key gives anyone full table access.

Read more

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.