What is SQL Injection?

SQL injection is a vulnerability where attacker-controlled input changes the structure of a database query rather than just supplying a value. The classic example: a login form that concatenates username and password into a query like SELECT * FROM users WHERE u='$user' AND p='$pass'. An attacker submits user = admin' -- and the SQL parser interprets the comment, dropping the password check.

Prepared statements (also called parameterized queries) eliminate SQL injection by separating the query structure from the data. The database parses the query shape first, then binds user data into placeholder slots - no matter what the user types, the parser has already decided what is SQL and what is a value. Every modern database driver supports prepared statements.

SheetLink Forms uses WordPress's $wpdb->prepare() for every database query that touches user input. Plugin settings, license records, integration configurations - all go through parameterized queries. We also run WordPress's PHP_CodeSniffer ruleset before every release, which flags any query that concatenates user input instead of using prepare. The SheetLinkWP backend (built on Next.js and Prisma) uses Prisma's typed query layer, which rules out SQL injection by design.