🔒 AppSec & Secure Code Review Language
5 exercises — input validation, sanitisation, SAST/DAST, and secure code review vocabulary for developers and security engineers. Advanced
0 / 5 completed
1 / 5
A Java code review finds this line:
String query = "SELECT * FROM users WHERE email = '" + email + "'";
The review comment reads: "This is vulnerable to SQL injection — use parameterised queries."
What does a parameterised query (prepared statement) mean?
Parameterised queries (prepared statements) separate SQL structure from user data — user input is always a parameter, never part of the SQL text.
Vulnerable (string concatenation):
String query = "SELECT * FROM users WHERE email = '" + email + "'"; // If email = "' OR '1'='1", the query becomes: // SELECT * FROM users WHERE email = '' OR '1'='1' // → returns ALL users
Safe (parameterised query):
PreparedStatement stmt = conn.prepareStatement(
"SELECT * FROM users WHERE email = ?");
stmt.setString(1, email);
// User input goes into the '?' slot as a typed string value
// It is NEVER parsed as SQL — injection is structurally impossible
Key vocabulary:
- Input binding — attaching user data to a parameter slot in the query template
- Query template — the SQL structure with
?placeholders, compiled separately from the data - SQL structure separated from data — the core principle that makes injection impossible
- String concatenation / interpolation — the dangerous pattern that enables SQL injection