Overview - How string concatenation creates vulnerabilities

What is it?

String concatenation in databases means joining pieces of text or code together to form a full command or query. When building SQL queries, developers sometimes combine user input with SQL commands using simple text joining. This can cause security problems if the input is not checked carefully. Attackers can insert harmful code into these joined strings, causing the database to run unintended commands.

Why it matters

Without understanding this, applications become easy targets for attackers who can steal, change, or delete data. If string concatenation is used carelessly, hackers can trick the database into doing things it should not, like giving away private information or damaging the system. This can lead to loss of trust, money, and even legal trouble for businesses.

Where it fits

Before learning this, you should know basic SQL commands and how databases work. After this, you will learn safer ways to build queries, like using prepared statements or parameterized queries, which protect against these risks.

Mental Model

Core Idea

Joining user input directly into SQL commands as plain text lets attackers sneak harmful code that the database will run.

Think of it like...

It's like writing a letter where you copy and paste someone else's words without checking. If they sneak in a secret message, the reader might follow dangerous instructions without knowing.

┌─────────────────────────────┐
│ SQL Query Construction       │
├─────────────────────────────┤
│ 'SELECT * FROM users WHERE ' │
│ + user_input                │
│ = full_query                │
└─────────────┬───────────────┘
              │
              ▼
    ┌─────────────────────┐
    │ Database executes    │
    │ full_query as code   │
    └─────────────────────┘

Build-Up - 6 Steps

1

FoundationWhat is string concatenation in SQL

Concept: Understanding how SQL queries can be built by joining strings.

In SQL, you can create commands by joining text pieces. For example, to find a user by name, you might write: 'SELECT * FROM users WHERE name = ' + user_input. This joins the fixed part with what the user types.

Result

A full SQL command string that the database will run.

Knowing how queries are built helps see where user input fits and why it matters.

2

FoundationHow user input affects queries

3

IntermediateWhat is SQL injection attack

4

IntermediateWhy string concatenation is vulnerable

5

AdvancedHow prepared statements prevent injection

6

ExpertSurprising injection vectors beyond concatenation

Under the Hood

When SQL queries are built by joining strings, the database receives a full text command. The database parser reads this text and executes commands as instructed. If user input is part of this text, any SQL code inside it becomes part of the command. This means attackers can inject commands that the database will run as if they were legitimate.

Why designed this way?

Early database systems allowed simple text commands for flexibility and ease of use. String concatenation was a straightforward way to build queries dynamically. However, this design did not anticipate malicious input, so it lacked built-in protections. Over time, safer methods like prepared statements were introduced to separate code from data.

┌───────────────┐      ┌───────────────┐      ┌───────────────┐
│ User Input    │─────▶│ String        │─────▶│ SQL Query     │
│ (text)       │      │ Concatenation │      │ (text command)│
└───────────────┘      └───────────────┘      └───────────────┘
                                               │
                                               ▼
                                      ┌─────────────────┐
                                      │ Database Parser  │
                                      │ Executes command │
                                      └─────────────────┘

Myth Busters - 4 Common Misconceptions

Quick: Does escaping user input fully prevent SQL injection? Commit to yes or no.

Common Belief:Escaping special characters in user input completely stops SQL injection.

Tap to reveal reality

Quick: Is SQL injection only possible with string concatenation? Commit to yes or no.

Common Belief:SQL injection only happens when queries are built by joining strings.

Tap to reveal reality

Quick: Can prepared statements be vulnerable if used incorrectly? Commit to yes or no.

Common Belief:Using prepared statements always guarantees safety from injection.

Tap to reveal reality

Quick: Does parameterizing queries slow down database performance significantly? Commit to yes or no.

Common Belief:Parameterized queries are much slower than concatenated queries.

Tap to reveal reality

Expert Zone

1

Some databases have subtle differences in how they parse concatenated queries, affecting injection risk.

2

Injection can exploit not just WHERE clauses but also ORDER BY, LIMIT, or even data definition commands if concatenated.

3

Advanced attackers use timing and error messages from injection to extract data even when direct output is blocked.

When NOT to use

Avoid string concatenation for building SQL queries in any user-facing context. Instead, use prepared statements, parameterized queries, or ORM frameworks that enforce safe query construction. Concatenation might be acceptable only for static, trusted strings without user input.

Production Patterns

In real systems, developers use parameterized queries or ORM libraries to build queries safely. Input validation and escaping are added layers but not primary defenses. Security audits focus on all dynamic query points, including stored procedures and admin tools, to prevent injection.

Connections

Input Validation

Builds-on

Understanding injection highlights why validating and sanitizing input is crucial before it reaches the database.

Cross-Site Scripting (XSS)

Similar pattern

Both SQL injection and XSS involve injecting malicious code into trusted contexts, showing a common security principle across web and database domains.

Code Injection in Operating Systems

Same pattern in different field

SQL injection is a specific case of code injection, a broader security issue where untrusted input is executed as code, seen also in OS command injection.

Common Pitfalls

#1Directly joining user input into SQL commands.

Wrong approach:query = "SELECT * FROM users WHERE name = '" + user_input + "'";

Correct approach:query = "SELECT * FROM users WHERE name = ?"; // then bind user_input as parameter

Root cause:Misunderstanding that user input is code, not just data, leading to unsafe query construction.

#2Relying only on escaping special characters.

Wrong approach:escaped_input = escape(user_input); query = "SELECT * FROM users WHERE name = '" + escaped_input + "'";

Correct approach:Use prepared statements with parameters instead of manual escaping.

Root cause:Belief that escaping is foolproof, ignoring edge cases and encoding issues.

#3Mixing prepared statements with string concatenation.

Wrong approach:query = "SELECT * FROM users WHERE name = '" + user_input + "' AND status = ?"; // parameter for status

Correct approach:query = "SELECT * FROM users WHERE name = ? AND status = ?"; // parameters for both

Root cause:Partial adoption of safe methods without fully separating code and data.

Key Takeaways

String concatenation in SQL queries mixes code and data, opening doors for attackers to inject harmful commands.

SQL injection is a serious security risk that can expose or damage data if user input is not handled safely.

Prepared statements and parameterized queries separate code from data, effectively preventing injection attacks.

Relying on escaping or partial fixes is risky and often insufficient to stop injection.

Security requires careful query building, input validation, and awareness of all places where code and data meet.