1. What is SQL injection?
Answer: A web-security flaw where untrusted input changes the structure of a database query,
allowing attackers to read, modify, or delete data.
2. How does it typically occur?
Answer: When user input is inserted directly into SQL statements without proper handling (e.g.,
concatenation), the input can alter the intended query logic.
3. What are the potential impacts?
Answer: Data leakage, unauthorized data modification or deletion, account takeover, and
sometimes full system compromise.
4. Where are common entry points?
Answer: Form fields, URL parameters, HTTP headers, cookies, and any place the app sends
user input to the database.
5. How can I detect possible SQL injection?
Answer: Watch for unusual DB errors in logs, unexpected query results, or abnormal application
behavior; perform authorized code review and security testing.
�6. What is the single best prevention technique?
Answer: Use parameterized queries / prepared statements (never build SQL by concatenating
raw input).
7. Other important defenses?
Answer: Input validation, least-privilege DB accounts, stored procedures used correctly, ORMs,
escaping where necessary, Web Application Firewalls (WAFs), and thorough
logging/monitoring.
8. Is client-side validation enough?
Answer: No — client validation helps UX but security must be enforced server-side before
constructing queries.
9. Can frameworks/ORMs fully prevent it?
Answer: They reduce risk when used correctly, but vulnerabilities can still arise from raw query
usage or misconfiguration.
10. How should I handle database permissions?
Answer: Grant the app only the minimum required privileges (e.g., SELECT/INSERT where
DELETE/ALTER aren’t needed).
�11. How should I test my application safely?
Answer: Only perform testing with proper authorization. Use static code analysis, vetted
dynamic scanners, and professional penetration tests.
12. Quick defensive code example (safe):
Answer: Use parameterized queries. Example (Python, defensive):
cur.execute("SELECT * FROM users WHERE id = %s", (user_id,))
