π‘ A beginner-friendly project to explore backend development, database security, and SQL injection prevention using Python and Flask.
When I first thought about SQL, the image that came to mind was a hacker injecting malicious queries into a website. My curiosity led me to learn about SQL Injection, how it works, and how to defend against it.
To explore this, I built a simple yet practical app with two goals:
- β Create a Python script to connect to a SQL Server database.
- π Build a backend that filters and blocks SQL injection attempts.
Although I had only basic knowledge of relational databases, I saw this as a great opportunity to go beyond the assignment and learn something useful for real-world development.
In a web application:
- The frontend sends user inputs (e.g., login credentials).
- The backend processes requests and interacts with the database.
- If not secured, the backend becomes vulnerable to SQL injection.
β This project aims to secure the backend by validating input using regular expressions, preventing malicious SQL statements.
π§ Tip: In real-world applications, a dedicated Secure API can be used to filter malicious requests more effectively.
| Layer | Technology |
|---|---|
| Frontend | HTML, CSS, JavaScript |
| Backend | Python, Flask |
| Database | Microsoft SQL Server |
| Security | Regex-based Input Validation |
A simple login form built using HTML, CSS, and JavaScript β no frameworks used.
π File Structure:
/Project-Files/
βββ template/
βββ static/
Created using Microsoft SQL Server:
CREATE TABLE users (
id INT PRIMARY KEY IDENTITY(1,1),
username NVARCHAR(50) NOT NULL,
password NVARCHAR(50) NOT NULL
);
-- Insert example data
INSERT INTO users (username, password) VALUES ('admin', 'admin');π Database Name: myDB
pip install pyodbc Flaskpyodbc: For connecting to SQL ServerFlask: Lightweight web framework
import pyodbc as odbc
conn_str = (
r'DRIVER={SQL Server};'
r'SERVER=X\SQLEXPRESS;'
'DATABASE=myDB;'
'Trusted_Connection=yes;'
)
conn = odbc.connect(conn_str)π Replace X\SQLEXPRESS with your actual SQL Server name. Use:
SELECT @@SERVERNAMEfrom flask import Flask, render_template, request
import re
app = Flask(__name__)
@app.route('/')
def home():
return 'Welcome to the secure app!'
if __name__ == '__main__':
app.run(debug=True)Using regular expressions to validate user input:
import re
if not re.match(r'^[a-zA-Z0-9_]+$', username):
return 'Invalid username format'
if not re.match(r'^[a-zA-Z0-9_]+$', password):
return 'Invalid password format'βοΈ Only allows alphanumeric characters and underscores
β Blocks characters like ', ;, --, etc., which are often used in injection attempts
pattern = r'^[a-zA-Z0-9_]+$'
username = 'user123'
if re.match(pattern, username):
print('β
Valid username')Project structure located in /Project-Files. Built with Visual Studio Code.
To start the server:
python app.py* Running on http://127.0.0.1:5000/
* Debug mode: onVisit: http://127.0.0.1:5000
Tried a basic injection attempt on the login form:
Result: β
Rejected with Invalid username format β injection blocked!
Included a helper function to execute .sql files if needed:
def execute_sql_file(file_path):
with open(file_path, 'r') as file:
sql_commands = file.read().split(';')
conn = pyodbc.connect(conn_str)
cursor = conn.cursor()
for command in sql_commands:
if command.strip():
cursor.execute(command)
conn.commit()
cursor.close()
conn.close()Use this to auto-run /SQL/create_tables.sql (optional).
- βοΈ Connecting Python to SQL Server using
pyodbc - βοΈ Handling HTTP requests using
Flask - βοΈ Validating user input with regex
- βοΈ Preventing SQL Injection in simple web apps
This was my first backend project combining Flask with a relational database. The app runs securely, blocks SQL injection, and reinforces backend fundamentals. I'm excited to continue building more secure apps and learning deeper concepts!
This project was completed as part of the Information Security course at Antioch Syrian University, under the guidance of Ms. Nabiha Halak.
Thank you for the valuable insights and support throughout the assignment.