🔒 SQL Injection Part 2: Mitigation with Parameterized Queries🔒

In my previous post, I demonstrated how I exploited SQL injection vulnerabilities by targeting fields where user input was directly inserted into SQL queries using string formatting.

In this phase, I focused on fixing those vulnerabilities by replacing unsafe code patterns. Specifically, lines 25, 47, and 56 of the original code were vulnerable to attack, allowing malicious users to manipulate SQL logic and gain unauthorized access.

Line 25: cur = g.db.execute("SELECT * FROM employees WHERE username = '%s' AND password = '%s'" %(uname, hash_pass(pword)))        

Line 47: curs = g.db.execute("""INSERT INTO shop_items(name, quantitiy, price) VALUES(?,?,?)""", (name, quan, price))        

Line 56: curs = g.db.execute("SELECT * FROM shop_items WHERE name = '%s'" % item)        

Mitigation Strategy: I replaced % string formatting with parameterized queries using ? placeholders in SQLite. This change ensures that user input is treated as data, not executable code, effectively preventing injection.

It’s a small change that makes a huge difference—because sometimes security comes down to catching that one line that could be used against you.

This concludes Part 2 – Mitigation of the series. If you missed Part 1, where I identified and exploited the vulnerability, you can find it on my LinkedIn profile.

If you found this helpful, please like, comment, or share—your feedback is always appreciated!

#CyberSecurity #SQLInjection #PenTesting #WebSecurity #EthicalHacking #AppSec #SAST #DAST #Semgrep