The language that's being used is not the problem.
The problem is building SQL statements using data from untrusted sources.
It doesn't matter if it's PHP:
$sql = "SELECT * FROM users WHERE id = '$id'";
or if it's in C:
sprintf( sql, "SELECT * FROM users WHERE id = '%s'", id );
In both cases, if the id
or $id
variable is untrusted input from an outside data source, the SQL being built is tainted. In either case, if an attacker passes in an id
of '; drop table users;
, then you're building:
SELECT * FROM users WHERE id = ''; drop table users;
The answer to avoiding SQL injection is: do not build SQL statements using outside data.