How do I fix a SQL injection vulnerability?

Building SQL with string formatting is how injection happens. Switch to parameterized queries to close it - in a live cloud workspace. Build it free on HeyDevJob in a live cloud workspace.

Security EngineerJuniorpythonflaskpostgresql

Fix a SQL Injection Vulnerability

A real security problem you debug end to end in a live cloud workspace, then show on your portfolio. No tutorial, no toy app - a broken system that behaves like production.

Level

Junior

Time

~20 min

Cost

Free

The scenario

A security audit flagged a critical finding in the user directory API. The /search endpoint is vulnerable to SQL injection -- an attacker can craft a query parameter that returns all records from the users table, bypassing any filter.

The broken code you start with

app.py (the injectable query)

q = request.args.get("q", "")
# f-string interpolation - an attacker controls the SQL
query = f"SELECT id, username FROM users WHERE username LIKE '%{q}%'"
cur.execute(query)

What this teaches you

What you did: Replaced f"SELECT ... WHERE name LIKE '%{q}%'" with cursor.execute("SELECT ... WHERE name LIKE %s", (f"%{q}%",)). The driver now escapes the value before it reaches the database - the classic ' OR 1=1 -- payload becomes a literal search term, not SQL.

Why it matters: SQL injection has been the most common web vulnerability for over 15 years - it appears on every security industry watchlist because it is so easy to introduce and so damaging when exploited. Every language's database driver supports parameterization; there is no good reason to use string formatting for SQL.

In the real world: This is what code review catches in the first 10 seconds. Every linter (Bandit, semgrep, CodeQL) has a rule for it. The bug exists because someone copied an old example or thought "what could go wrong with just this one column."

What you'll practice

Recognizing an injectable query built by string formatting
Rewriting it with parameterized queries
Confirming the injection no longer works

Why this impresses a hiring manager

This is a real python problem teams hit in production - not a synthetic puzzle.
It shows you can diagnose and fix a Security issue in a live system end to end.
It lands on your portfolio as a scenario a hiring manager can open and click through.

On your portfolio, this becomes

Replaced f-string SQL with parameterized queries (cursor.execute with %s placeholders), neutralizing the OR-1=1 / UNION SELECT classes

Keep going

Hash Passwords Instead of Storing PlaintextSecurity project Security roadmapStep by step to hired Security interview questionsSTAR answers All Security projectsProjects hub

Build this project free

You're in a real cloud workspace in 30 seconds. Fix it, and it lands on your portfolio.

Start this project →