HLDsystem_design~7 mins

SQL injection and XSS prevention in HLD - System Design Guide

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Problem Statement

When user input is directly included in database queries or web pages without proper checks, attackers can inject malicious SQL commands or scripts. This leads to data theft, unauthorized access, or defacement of websites, causing severe security breaches and loss of user trust.

Solution

To prevent these attacks, user inputs must be treated as data, not code. For SQL injection, use parameterized queries or prepared statements that separate code from data. For XSS, sanitize and encode user inputs before displaying them on web pages, ensuring scripts cannot execute in the browser.

Architecture

User Input

→Input Validation

↓

Parameterized SQL

↓

Database

↓

User Input

→Input Sanitizer

↓

Output Encoding

↓

Browser

The diagram shows two flows: one for SQL injection prevention using parameterized queries, and one for XSS prevention using input sanitization and output encoding before rendering in the browser.

Trade-offs

✓ Pros

→

Protects sensitive data and prevents unauthorized database access.

→

Prevents malicious scripts from running in users' browsers, safeguarding user experience.

→

Improves overall system security posture and compliance with security standards.

→

Reduces risk of costly data breaches and reputation damage.

✗ Cons

→

Requires careful implementation and consistent use across all input points.

→

May introduce performance overhead due to input validation and encoding.

→

Complexity increases when handling diverse input types and legacy codebases.

Always use in any system accepting user input, especially web applications with database interactions and dynamic content rendering. Critical when handling sensitive data or operating at scale with many users.

Not applicable to systems that do not process external user input or do not interact with databases or web content, such as internal batch processing without user interfaces.

Real World Examples

Netflix

Uses parameterized queries to prevent SQL injection in their user data management systems, ensuring secure handling of subscription and viewing data.

Twitter/X

Implements strict input sanitization and output encoding to prevent XSS attacks in tweets and user profiles, protecting users from malicious scripts.

Amazon

Employs prepared statements and content security policies to prevent injection attacks and XSS in their e-commerce platform, securing transactions and user reviews.

Code Example

The before code directly inserts user input into SQL queries and HTML, allowing attackers to inject malicious code. The after code uses parameterized queries to separate data from code in SQL, and escapes HTML special characters to prevent script execution in the browser.

HLD

Before (vulnerable to SQL injection):

user_id = input("Enter user ID:")
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute(query)

After (using parameterized queries):

user_id = input("Enter user ID:")
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))


Before (vulnerable to XSS):

comment = request.GET.get('comment')
html = f"<div>{comment}</div>"
return html

After (using sanitization and encoding):

import html
comment = request.GET.get('comment')
safe_comment = html.escape(comment)
html = f"<div>{safe_comment}</div>"
return html

OutputSuccess

Alternatives

Stored Procedures

Encapsulates SQL logic in the database, reducing direct query construction in application code.

Use when: When database supports stored procedures and you want centralized query logic with controlled input parameters.

Content Security Policy (CSP)

Browser-level security that restricts sources of executable scripts to prevent XSS.

Use when: When you want an additional layer of defense against XSS beyond input sanitization.

ORM (Object-Relational Mapping)

Abstracts database queries into object methods, often using parameterized queries internally.

Use when: When using high-level frameworks that support ORM to reduce manual query construction.

Summary

SQL injection and XSS attacks exploit improper handling of user input to execute malicious code.

Using parameterized queries and output encoding effectively separates code from data, preventing these attacks.

Consistent implementation of these practices is critical for secure, trustworthy web applications.