Safe Penetration Testing Labs · intermediate · ~10 min
Understand why parametrised queries are the only defence.
Concatenating user data into a SQL string lets the user inject SQL syntax:
"SELECT * FROM users WHERE name = '" + input + "'"
If input is ' OR '1'='1, the query returns every user. The fix: parametrised queries (prepared statements). The driver sends template and data separately; the engine cannot reinterpret data as SQL.
The C exercises don't run SQL injection — they teach you to recognize the smell in code, and to write the parametrised version.