The SQL comment syntax used to ignore the rest of the original, legitimate query so it doesn't cause a syntax error. 🛠️ Secure Implementation Example (Node.js/pg)
// UNSAFE: Vulnerable to the injection provided const query = "SELECT * FROM articles WHERE topic = '" + userInput + "'"; // SAFE: Parameterized query const query = "SELECT * FROM articles WHERE topic = $1"; const values = [userInput]; db.query(query, values, (err, res) => { // The database treats $1 strictly as data, even if it contains "SELECT PG_SLEEP(5)" }); Use code with caution. Copied to clipboard {KEYWORD};SELECT PG_SLEEP(5)--
If your goal is to "develop a feature" to prevent this type of attack, the focus should be on robust and query parameterization . 🛡️ Critical Defense Strategies The SQL comment syntax used to ignore the
A PostgreSQL function that pauses the current session for exactly 5 seconds. -- const values = [userInput]
To protect a PostgreSQL-backed application from injection, you must move away from building queries with string concatenation.