How do you prevent SQL injection?

Preventing SQL injection requires multiple layers: (1) Parameterized queries (prepared statements): the most effective defense. The query structure is defined separately from the data — the database treats user input as a data value, never as SQL code. Example in PHP: $stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?'); $stmt->execute([$email]);. (2) ORM / query builders: most ORMs use parameterized queries internally (but raw query escape hatches must still be used carefully). (3) Stored procedures: when parameterized — same protection as prepared statements. (4) Input validation: whitelist expected characters (e.g., only digits for ID fields). (5) Least privilege: the DB user should only have necessary permissions — even if injected, damage is limited. (6) WAF: additional layer to catch obvious payloads. (7) Error handling: don't return DB error messages to users (they reveal schema). Regular SQLi testing in CI/CD pipeline.