Dallonses logo

SQL injection

What is SQL injection?

SQL injection is an attack where untrusted input alters the database query a server runs. When an application builds a query by gluing user input directly into a string, an attacker can write input that changes what the query does. Instead of searching for a username, the query might return every row, skip the password check, or drop a table. The attack hits the database and the data behind it, which is what makes it dangerous.

It works because the application cannot tell the difference between data and command once they are mixed into one string. Enter a value like ' OR '1'='1 into a login form built this way and the condition becomes always true, letting someone in without a password. This differs from XSS, which targets the browser of another user. SQL injection targets the server and its store. Both come from the same flaw, trusting input, but they attack different layers.

The fix is parameterised queries, also called prepared statements. The query structure is defined separately from the values, so user input can never change the command. ORMs and query builders do this by default, which is why they are safer than hand-built strings. Least-privilege database accounts and input validation add further layers, limiting damage even if something slips through.

SQL injection at Dallonses

We never build queries by concatenating user input. Parameterised queries are the default across every project, and database accounts get only the permissions the job needs and nothing more. When we review a pull request, any raw query handling input is a flag we stop on.

This sits inside our wider QA strategy and governance practice across web development and custom web applications. Security is part of software quality assurance, checked continuously rather than audited once at the end. We have built systems holding sensitive customer and business data for brands where a leak would be a real failure, and that responsibility shapes how we write the data layer from day one.

Got a database holding data you can't afford to lose? Let's make sure it stays locked.

Talk to us about secure builds

Related services

Related works

Spring GDS 25th Anniversary

A logistics company that ships to 190 countries built something to ship to itself.

Vizitio

Turning a brand into a working business.

Access Ticket

Half a million people. One app. Zero chaos.

Ready to work together?

Book a meeting
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving