SQL Injection

SQL queries built with template literals or string concat (ORM-aware)

criticalSecuritysql-injection

Why this matters

String-concatenated SQL lets attackers inject arbitrary queries. They can dump your entire database, modify data, or escalate privileges. ORMs prevent this by parameterizing automatically.

✗ Bad

app.get("/users", async (req, res) => {
  const { name } = req.query;
  const result = await db.query(
    `SELECT * FROM users WHERE name = '${name}'`
  );
  res.json(result.rows);
});

✓ Good

app.get("/users", async (req, res) => {
  const { name } = req.query;
  const result = await db.query(
    "SELECT * FROM users WHERE name = $1",
    [name]
  );
  res.json(result.rows);
});

How to fix

Always use parameterized queries or an ORM (Prisma, Drizzle, Knex). Never interpolate user input into SQL strings.

All rules