How to Fix SQL Injection in FastAPI
Learn how to prevent and fix SQL Injection vulnerabilities in FastAPI applications. Step-by-step guide with code examples, security checklists, and best practices.
What Is SQL Injection?
SQL Injection is a code injection technique that exploits security vulnerabilities in an application's database layer. It occurs when user-supplied data is included in SQL queries without proper sanitization, allowing an attacker to manipulate the query's logic. An attacker can craft input that changes the intended SQL command, gaining unauthorized access to data.
The attack works by inserting (or "injecting") SQL fragments into input fields, URL parameters, cookies, or HTTP headers that are then incorporated into database queries. For example, a login form vulnerable to SQL injection might allow an attacker to bypass authentication by entering `' OR '1'='1` as a password. More sophisticated attacks can use UNION-based injection to extract data from other tables, blind injection to infer data one bit at a time, or stacked queries to execute arbitrary SQL commands.
While ORMs and query builders have reduced the prevalence of SQL injection, it remains common in applications that use raw queries, dynamic query construction, or improperly configured ORMs. Stored procedures are not immune either if they construct dynamic SQL internally.
Why It Matters
SQL Injection consistently ranks among the most dangerous web vulnerabilities because of its severe impact. A successful attack can lead to complete database compromise, allowing attackers to read all data including credentials, personal information, and financial records. Attackers can modify or delete data, causing data integrity issues and potential business disruption. In some database configurations, SQL injection can be escalated to operating system command execution, leading to full server compromise. The 2017 Equifax breach, which exposed 147 million records, was caused by a related injection vulnerability. For applications subject to regulations like GDPR or HIPAA, a SQL injection breach can result in millions of dollars in fines.
How to Fix It in FastAPI
The most effective defense against SQL injection is using parameterized queries (also called prepared statements) for all database interactions. Never concatenate user input directly into SQL strings. Use your ORM's built-in query methods rather than raw SQL wherever possible. If raw queries are necessary, always use parameterized placeholders. Implement input validation using strict allowlists for expected data types and formats. Apply the principle of least privilege to database accounts -- the application should connect with minimal necessary permissions. Use a Web Application Firewall (WAF) as an additional layer. Regularly audit your codebase for raw query construction patterns.
FastAPI-Specific Advice
- Use Pydantic models for all request validation. FastAPI automatically validates requests against Pydantic schemas, but ensure all fields are properly typed.
- Use SQLAlchemy ORM or parameterized queries with your database driver. Never use f-strings or string formatting in SQL queries.
- Implement OAuth2 with JWT using FastAPI's built-in `OAuth2PasswordBearer` and proper token validation with `python-jose`.
- Configure CORS middleware explicitly. Use `CORSMiddleware` with specific `allow_origins` rather than wildcards in production.
Code Examples
# DANGEROUS -- SQL injection via f-string
@app.get("/users/{user_id}")
async def get_user(user_id: str):
query = f"SELECT * FROM users WHERE id = '{user_id}'"
result = await database.fetch_one(query)
return resultfrom sqlalchemy import select
from app.models import User
# Option 1: SQLAlchemy ORM
@app.get("/users/{user_id}")
async def get_user(user_id: int, db: Session = Depends(get_db)):
user = db.query(User).filter(User.id == user_id).first()
if not user:
raise HTTPException(status_code=404)
return user
# Option 2: Parameterized query
@app.get("/users/{user_id}")
async def get_user(user_id: int):
query = "SELECT * FROM users WHERE id = :id"
result = await database.fetch_one(query, values={"id": user_id})
return resultFastAPI Security Checklist for SQL Injection
FastAPI Security Best Practices
Use Pydantic models for all request validation. FastAPI automatically validates requests against Pydantic schemas, but ensure all fields are properly typed.
Use SQLAlchemy ORM or parameterized queries with your database driver. Never use f-strings or string formatting in SQL queries.
Implement OAuth2 with JWT using FastAPI's built-in `OAuth2PasswordBearer` and proper token validation with `python-jose`.
Configure CORS middleware explicitly. Use `CORSMiddleware` with specific `allow_origins` rather than wildcards in production.
Use `python-dotenv` for environment variables and never hardcode secrets. Keep `.env` files out of version control.
Implement rate limiting using `slowapi` or a reverse proxy. FastAPI does not include built-in rate limiting.
Use `UploadFile` type for file uploads with validation of content type and file size. Process files securely.
Avoid using `pickle.loads()` or `yaml.load()` on untrusted data. Use `json.loads()` for deserialization of user input.
Scan Your FastAPI App with SafeVibe
Stop guessing if your FastAPI app is vulnerable to SQL Injection. Run an automated penetration test in minutes and get actionable results.
Start Free Scan