Security: SQL Injection in 2025

June 03, 2025 1 min read 0 views

python sql security

In 2025, SQL Injection (SQLi) is still the #1 vulnerability.

How it happens

                CSS
                
            
# BAD
query = f"SELECT * FROM users WHERE name = '{user_input}'"

If I enter Otabek' OR '1'='1, the query becomes SELECT * FROM users. I dump your database.

Parameterization

Use the database driver's placeholder system.

                Dockerfile
                
            
# GOOD
cursor.execute("SELECT * FROM users WHERE name = %s", [user_input])

The database treats %s as data, not code. Even if I input SQL commands, they are treated as a weird string literal.

ORM Protection

Django's ORM does this automatically. User.objects.filter(name=user_input) is safe.

But User.objects.raw(f"...") is NOT.

Conclusion

Never trust user input. Always use parameterized queries or an ORM.

Similar Posts

Security: JWT vs Sessions

Oct 22, 2025

Django: Signals vs Overriding Save

Sep 14, 2025

Python: The 'with' Statement

Aug 21, 2025