sql-injection
Safeguard articles tagged "sql-injection" — guides, analysis, and best practices for software supply chain and application security.
46 articles
SQL Injection Prevention in Java with PreparedStatement
Java teams still ship SQL injection bugs despite PreparedStatement being free and built into the JDK since 1997. Here is how it works and where it fails.
SQL Injection Prevention in Python with Parameterized Que...
SQL injection remains widespread in Python apps despite decades-old fixes. Here's how parameterized queries actually prevent it, and where ORMs still leave gaps.
SQL Injection Prevention in Node.js/JavaScript
SQL injection still hits Node.js apps through raw drivers, Sequelize, Prisma, and Knex alike. Here's how it happens, what safe queries look like, and how to catch it in CI.
SQL Injection Prevention in Go with database/sql Prepared...
How Go's database/sql prepared statements prevent SQL injection, where developers still get it wrong with dynamic queries and ORMs, and how Safeguard catches these gaps in code review.
SQL Injection Prevention in C# with Entity Framework/LINQ
EF Core's LINQ layer parameterizes queries by default, but FromSqlRaw, ExecuteSqlRaw, and dynamic sort columns still open real SQL injection risk in .NET apps.
SQL Injection Prevention in PHP with Parameterized Queries
Parameterized queries stop SQL injection in PHP by separating code from data. Here's how PDO and MySQLi prepared statements work, and where they still fail.
SQL Injection Prevention in Ruby with exec_params Binding
Ruby's pg gem makes SQL injection preventable with one method change. Here's how exec_params binds parameters, why Rails CVEs keep recurring, and how to migrate safely.
SQL Injection Prevention in Rust with sqlx
sqlx blocks SQL injection by default with compile-time query checks and bind parameters — but format!() and raw SQL calls can still reopen the gap. Here's how to audit for it.
SQL Injection Prevention in C++ with SQLite Bind Parameters
How sqlite3_bind_text() stops SQL injection in C++ apps, common mistakes with bind parameters, and how to audit existing SQLite code for injection risk.
CVE-2020-9402: SQL injection via Django GIS functions
CVE-2020-9402 let attackers inject SQL through GeoDjango's tolerance parameter on Oracle backends. Here's what's affected, severity context, and how to remediate.
CVE-2022-34265: SQL injection via Trunc/Extract database ...
A technical breakdown of CVE-2022-34265, the Django SQL injection flaw in Trunc() and Extract(), covering affected versions, risk, and remediation steps.
How Snyk Code detects SQL injection vulnerabilities step ...
A mechanical, publicly-documented look at how Snyk Code's symbolic analysis and ML model trace source-to-sink data flow to detect SQL injection vulnerabilities.