Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

  1. SQL injection occurs when untrusted input is concatenated into SQL queries without proper parameterisation.

  2. Remediation:

    • Always use parameterised queries / prepared statements:

  3. PDO (PHP):

    $stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');
$stmt->execute([':id' => $userId]);
mysqli:
$stmt = $mysqli->prepare('SELECT * FROM users WHERE id = ?');
$stmt->bind_param('i', $userId);
$stmt->execute();
• Use an ORM (Eloquent, Doctrine, SQLAlchemy) that handles parameterisation by default.
• Validate input types before use (e.g., cast to int for numeric IDs).
• Apply the principle of least privilege — database users should only have the permissions they need.
Back to top