Security: SQL Injection in 2025

In 2025, SQL Injection (SQLi) is still the #1 vulnerability.

How it happens

# BAD
query = f"SELECT * FROM users WHERE name = '{user_input}'"

If I enter Otabek' OR '1'='1, the query becomes SELECT * FROM users. I dump your database.

Parameterization

Use the database driver's placeholder system.

# GOOD
cursor.execute("SELECT * FROM users WHERE name = %s", [user_input])

The database treats %s as data, not code. Even if I input SQL commands, they are treated as a weird string literal.

ORM Protection

Django's ORM does this automatically.
User.objects.filter(name=user_input) is safe.

But User.objects.raw(f"...") is NOT.

Conclusion

Never trust user input. Always use parameterized queries or an ORM.