SQL injection through string concatenation in queries

Building SQL queries by concatenating user input directly into the query string. This allows attackers to inject arbitrary SQL and read, modify, or delete database data.

NEVER concatenate user input into SQL strings. Always use parameterized queries. Node pg: db.query('SELECT FROM users WHERE id = $1', [userId]). Python: cursor.execute('SELECT FROM users WHERE id = %s', (user_id,)). For dynamic column/table names, use an allowlist.

String concatenation lets attackers close the intended query and add their own SQL. Parameterized queries send structure and data separately, making injection impossible.