Agent skill

sql-injection-prevention

Prevent SQL injection attacks using prepared statements, parameterized queries, and input validation. Use when building database-driven applications securely.

View SKILL.md on GitHub Repository
Stars 151
Forks 20

Install this agent skill to your Project

npx add-skill https://github.com/aj-geddes/useful-ai-prompts/tree/main/skills/sql-injection-prevention

SKILL.md

SQL Injection Prevention

Table of Contents

Overview

Implement comprehensive SQL injection prevention using prepared statements, parameterized queries, ORM best practices, and input validation.

When to Use

  • Database query development
  • Legacy code security review
  • Security audit remediation
  • API endpoint development
  • User input handling
  • Dynamic query generation

Quick Start

Minimal working example:

javascript
// secure-db.js
const { Pool } = require("pg");

class SecureDatabase {
  constructor() {
    this.pool = new Pool({
      host: process.env.DB_HOST,
      database: process.env.DB_NAME,
      user: process.env.DB_USER,
      password: process.env.DB_PASSWORD,
      max: 20,
      idleTimeoutMillis: 30000,
      connectionTimeoutMillis: 2000,
    });
  }

  /**
   * ✅ SECURE: Parameterized query
   */
  async getUserById(userId) {
    const query = "SELECT * FROM users WHERE id = $1";
    const values = [userId];

    try {
      const result = await this.pool.query(query, values);
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide Contents
Node.js with PostgreSQL Node.js with PostgreSQL
Python with SQLAlchemy ORM Python with SQLAlchemy ORM
Java JDBC with Prepared Statements Java JDBC with Prepared Statements
Input Validation & Sanitization Input Validation & Sanitization

Best Practices

✅ DO

  • Use prepared statements ALWAYS
  • Use ORM frameworks properly
  • Validate all user inputs
  • Whitelist dynamic values
  • Use least privilege DB accounts
  • Enable query logging
  • Regular security audits
  • Use parameterized queries

❌ DON'T

  • Concatenate user input
  • Trust client-side validation
  • Use string formatting for queries
  • Allow dynamic table/column names
  • Grant excessive DB permissions
  • Skip input validation

Didn't find tool you were looking for?

Be as detailed as possible for better results