---
title: Always Use Parameterized Queries
impact: CRITICAL
impactDescription: prevents SQL and NoSQL injection attacks
tags: injection, sql, nosql, database, parameterized, security, kotlin
---

## Always Use Parameterized Queries

SQL injection is one of the top security vulnerabilities. Direct string concatenation allows attackers to execute arbitrary database commands, steal data, or destroy databases.

**Incorrect (string concatenation):**

```kotlin
// SQL Injection vulnerability
val userId = request.params["id"]
val query = "SELECT * FROM users WHERE id = '$userId'"
val result = connection.createStatement().executeQuery(query)

// Attacker input: ' OR '1'='1
// Resulting query: SELECT * FROM users WHERE id = '' OR '1'='1'
// Returns ALL users!
```

**Correct (parameterized queries):**

```kotlin
// Parameterized query using PreparedStatement
val userId = request.params["id"]
val query = "SELECT * FROM users WHERE id = ?"
val preparedStatement = connection.prepareStatement(query)
preparedStatement.setString(1, userId)
val result = preparedStatement.executeQuery()

// Using an ORM or Database Library like Exposed or Spring Data JPA
val user = transaction {
    User.find { Users.id eq userId }.firstOrNull()
}
```

**Tools:** SonarQube (S2077, S3649), Semgrep, CodeQL, detekt
