sql-injection-prevention▌
aj-geddes/useful-ai-prompts · updated Apr 8, 2026
Implement comprehensive SQL injection prevention using prepared statements, parameterized queries, ORM best practices, and input validation.
SQL Injection Prevention
Table of Contents
Overview
Implement comprehensive SQL injection prevention using prepared statements, parameterized queries, ORM best practices, and input validation.
When to Use
- Database query development
- Legacy code security review
- Security audit remediation
- API endpoint development
- User input handling
- Dynamic query generation
Quick Start
Minimal working example:
// secure-db.js
const { Pool } = require("pg");
class SecureDatabase {
constructor() {
this.pool = new Pool({
host: process.env.DB_HOST,
database: process.env.DB_NAME,
user: process.env.DB_USER,
password: process.env.DB_PASSWORD,
max: 20,
idleTimeoutMillis: 30000,
connectionTimeoutMillis: 2000,
});
}
/**
* ✅ SECURE: Parameterized query
*/
async getUserById(userId) {
const query = "SELECT * FROM users WHERE id = $1";
const values = [userId];
try {
const result = await this.pool.query(query, values);
// ... (see reference guides for full implementation)
Reference Guides
Detailed implementations in the references/ directory:
| Guide | Contents |
|---|---|
| Node.js with PostgreSQL | Node.js with PostgreSQL |
| Python with SQLAlchemy ORM | Python with SQLAlchemy ORM |
| Java JDBC with Prepared Statements | Java JDBC with Prepared Statements |
| Input Validation & Sanitization | Input Validation & Sanitization |
Best Practices
✅ DO
- Use prepared statements ALWAYS
- Use ORM frameworks properly
- Validate all user inputs
- Whitelist dynamic values
- Use least privilege DB accounts
- Enable query logging
- Regular security audits
- Use parameterized queries
❌ DON'T
- Concatenate user input
- Trust client-side validation
- Use string formatting for queries
- Allow dynamic table/column names
- Grant excessive DB permissions
- Skip input validation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.8★★★★★74 reviews- ★★★★★Maya Mehta· Dec 28, 2024
sql-injection-prevention reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Daniel Huang· Dec 20, 2024
Solid pick for teams standardizing on skills: sql-injection-prevention is focused, and the summary matches what you get after install.
- ★★★★★Chaitanya Patil· Dec 16, 2024
Solid pick for teams standardizing on skills: sql-injection-prevention is focused, and the summary matches what you get after install.
- ★★★★★Ishan Perez· Dec 16, 2024
sql-injection-prevention has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Hassan Shah· Dec 16, 2024
Keeps context tight: sql-injection-prevention is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Noah Flores· Dec 4, 2024
sql-injection-prevention has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Soo Jain· Nov 27, 2024
Useful defaults in sql-injection-prevention — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Anika Yang· Nov 23, 2024
sql-injection-prevention fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Maya Torres· Nov 19, 2024
sql-injection-prevention is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Noor Robinson· Nov 11, 2024
We added sql-injection-prevention from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 74