Apa sing dimaksud SQL injection lan bagaimana cara nyegah?

Question

Accepted Answer

**SQL injection** minangka kerentanan ing ngendi penyerang nyisipake SQL jahat liwat input pengguna — manipulasi query basis data kanggo nyuri data, lumpuhake autentikasi, utawa rusak data. Iki salah siji kerentanan web paling mbahaya lan klasik, nanging bisa dicegah kanthi teknik sing bener.

## Cara SQL injection bisa terjadi

```text
When user input is concatenated directly into a SQL query, an attacker can INJECT SQL:
```

```js
// ❌ VULNERABLE — user input concatenated into the query
const query = `SELECT * FROM users WHERE email = '${userInput}'`;
// attacker enters:  ' OR '1'='1
// → SELECT * FROM users WHERE email = '' OR '1'='1'   → returns ALL users!
// or:  '; DROP TABLE users; --   → could delete the table
```

Input penyerang diperlakoni minangka **kode SQL** tinimbang data — mungkasi sing bisa ngubah ulang query (lumpuhake login, numpukake kabeh data, ilangake tabel).

## Pencegahan: parameterized queries (perbaikan utama)

```js
// ✅ PARAMETERIZED / PREPARED statements — input is treated as DATA, never as code
const query = 'SELECT * FROM users WHERE email = ?';
db.execute(query, [userInput]);     // the value is safely bound, not concatenated
// → the database treats userInput as a literal value → injection impossible
```

**Parameterized queries (prepared statements)** pisahake kode SQL saka data — input ora bisa dikarepake minangka SQL. Iki pertahanan primer lan dipercaya.

## Pertahanan tambahan

```text
✓ PARAMETERIZED queries / prepared statements → the #1 fix (always use them)
✓ ORMs/query builders → use parameterization under the hood (but don't bypass with raw
  string concatenation)
✓ INPUT VALIDATION (defense in depth) — validate/sanitize, but NOT a substitute for
  parameterization
✓ LEAST PRIVILEGE DB accounts (limit damage); avoid exposing detailed DB errors
→ NEVER build queries by concatenating user input.
```

## Mengapa iki penting

Paham tentang SQL injection lan cara nyegahna iku penting banget amarga iki **salah siji kerentanan web paling mbahaya, klasik, lan umum** (bagian saka kategori OWASP injection), nanging bisa dicegah sepenuhane, dadi kudu ditakluki para pengembang manapun sing nggarap basis data.

Paham **carane bisa terjadi** — yen concatenate input pengguna langsung menyang query SQL, penyerang bisa **inject kode SQL** (inpute diperlakoni minangka kode tinimbang data), bisa lumpuhake autentikasi (`' OR '1'='1`), numpukake kabeh data, utawa malah ilangake tabel (`'; DROP TABLE`) — perlu kanggo kenal lan ngindari kerentanan.

SQL injection bisa ngakibatake masalah gedhe (kebocoran data lengkap, perusakan data, lumpuhane autentikasi), dadi iki krusial banget.

Paham tentang **pencegahan** iku penting: **parameterized queries (prepared statements)** iku perbaikan primer lan dipercaya — bisa **pisahake kode SQL saka data** dadi input pengguna diperlakoni minangka nilai literal sing ora bisa dikarepake minangka SQL, ngilangake kemungkinan injection.

Iki pertahanan utama nomer 1 sing kudu digunakake saben pengembang.

Paham tentang **pertahanan tambahan** — migunaake ORMs/query builders (sing parameterisasi, nanging ora dilangkahi kanthi concatenation mentah), validasi input minangka defense-in-depth (nanging dudu panganti parameterisasi), akun basis data kanthi privilege minimal, lan ngindari eksposisi error sing rinci — lan aturan kardinal kanggo **ora kontinu concatenate input pengguna menyang query** — nggayutake pencegahan menyeluruh.

Kuran SQL injection iku kerentanan mbahaya, umum, lan klasik kanthi konsekuensi parah (kebocoran data, ilang data, lumpuhane auth) sing bisa dicegah sepenuhane kanthi parameterized queries, lan kuran paham carane terjadi lan cara nyegahna iku penting kanggo pengembang manapun sing nggarap basis data, paham SQL injection lan pencegahe iku pengetahuan keamanan penting kudu ditakluki — kerentanan fundamental kanggo dipaham lan ditahan, ing ngendi perbaikan simpel lan dipercaya (parameterized queries) iku pengetahuan krusial sing nyegah salah siji kelas serangan paling ngrusak.