SQL injection

Untrusted input is concatenated into SQL so that an attacker alters query logic to read/modify data.

Use parameterized queries/ORM bind variables; avoid string building; enforce least-privilege DB accounts; validate inputs; add tests for injection payloads

Observable signs that may indicate SQL injection:

• Unexpected rows returned or privilege changes after user-controlled input.
• Database errors mentioning syntax near quotes or UNION/SELECT.
• Blind timing differences when injecting logical conditions (e.g., sleep/delay).