SQL injection vulnerability detected.

  • Rule ID: javascript_lang_sql_injection
  • Languages: javascript
  • Source: sql_injection.yml


Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.


❌ Avoid raw queries, especially those that contain unsanitized user input

  var sqlite = new Sequelize("sqlite::memory:");
sqlite.query("SELECT * FROM users WHERE ID = " + req.params.userId);

Instead, consider the following approaches when writing SQL queries

✅ Validate query input wherever possible

  var rawId = req.params.userId
if !(/[0-9]+/.test(rawId)) {
// input is unexpected; don't make the query

✅ Use prepared (or parameterized) statements when querying

Sequelize example -

  var sqlite = new Sequelize("sqlite::memory:");
"SELECT * FROM users WHERE ID = ?",
{ replacements: [req.params.userId] },
type: sequelize.QueryTypes.SELECT


Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.