SQL Injection Prevention

Multi-layer protection against SQL injection through whitelist enforcement, parameterization, and pattern detection.

Three Layers of Protection

Signando Postgres uses multiple defense mechanisms against SQL injection:

┌─────────────────────────────────────────────────────────┐
│  Layer 1: Query Whitelist (fingerprint matching)        │
│  ↓ Only whitelisted query templates pass                │
├─────────────────────────────────────────────────────────┤
│  Layer 2: Parameterization Enforcement                  │
│  ↓ No inline literals allowed, $1, $2... only           │
├─────────────────────────────────────────────────────────┤
│  Layer 3: Pattern Detection                             │
│  ↓ Known attack patterns blocked                        │
└─────────────────────────────────────────────────────────┘

Configuration

# policy.yaml
sql_injection:
  # Require parameterized queries (no inline literals)
  enforce_parameterization: true

  # Block known attack patterns
  block_patterns:
    - "OR '1'='1'"
    - "UNION SELECT"
    - "; DROP"
    - "-- "
    - "/*"

  # Max query length to prevent buffer overflow attempts
  max_query_length: 4096

SQLI-001BLOCKED

Classic SQL Injection - Blocked

Attack Attempt

SELECT * FROM users WHERE id = '1' OR '1'='1'

Expected Response

ERROR: SQL injection pattern detected
DETAIL: Inline literal values are not allowed. Use parameterized queries.
HINT: Change to: SELECT * FROM users WHERE id = $1

The tautology attack OR '1'='1' is blocked by both pattern detection and parameterization enforcement.

SQLI-002BLOCKED

UNION-based Injection - Blocked

Attack Attempt

SELECT id, name FROM users WHERE id = 1 UNION SELECT username, password FROM admin_users

Expected Response

ERROR: Query not in whitelist
DETAIL: Query fingerprint does not match any allowed template.
       UNION SELECT pattern detected and blocked.

UNION-based data exfiltration is blocked because the query structure differs from the whitelisted template.

SQLI-003BLOCKED

Stacked Queries - Blocked

Attack Attempt

SELECT * FROM users WHERE id = 1; DROP TABLE users; --

Expected Response

ERROR: Multiple statements not allowed
DETAIL: Only single-statement queries are permitted.
       Detected 2 statements separated by ';'

Destructive stacked queries like DROP TABLE are blocked. Only single-statement queries matching the whitelist pass.

SQLI-004BLOCKED

Comment-based Injection - Blocked

Attack Attempt

SELECT * FROM users WHERE name = 'admin'--' AND password = 'x'

Expected Response

ERROR: SQL injection pattern detected
DETAIL: SQL comment sequence '--' not allowed in query.
HINT: Use parameterized queries instead of string concatenation.

Comment-based bypasses that attempt to truncate the query are blocked by pattern detection.

SQLI-VALIDALLOWED

Correct Parameterized Query

Safe Query

SELECT id, name, email FROM users WHERE id = $1

With Parameter

Parameter $1 = 42  (bound separately, never interpolated)

Properly parameterized queries are safe. The parameter value is bound separately and never interpolated into the SQL string.