SQL Injection (CWE-89) - Security Vulnerability

Improper Neutralization of Special Elements used in an SQL Command

User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history.

Verbreitung

Very Common

OWASP Top 10 since 2010

Auswirkung

Critical

Data breach, auth bypass, RCE

Prävention

Well understood

Parameterized queries

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für SQL Injection basierend auf 7 Shoulder-Erkennungsregeln.

🐹 Go Alle anzeigen Go Details →

SQL Injection via Database Queries CRITICAL

Use parameterized queries with $1 (PostgreSQL) or ? (MySQL/SQLite) placeholders

+1 -2 go

  func getUser(w http.ResponseWriter, r *http.Request) {
      userID := r.URL.Query().Get("id")
-     query := "SELECT * FROM users WHERE id = " + userID
-     rows, err := db.Query(query)
+     rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID)
      // ...
  }

🟨 JavaScript Alle anzeigen JavaScript Details →

SQL Injection via Database Queries CRITICAL

Use parameterized queries with placeholder syntax

+2 -2 javascript

- const query = `SELECT * FROM users WHERE id = '${req.params.id}'`;
- await db.query(query);
+ const query = 'SELECT * FROM users WHERE id = $1';
+ await db.query(query, [req.params.id]);

Prisma Raw Query SQL Injection CRITICAL

Use Prisma.sql tagged template for parameterized raw queries instead of regular template literals

+10 -11 javascript

- import { PrismaClient } from '@prisma/client';
- const prisma = new PrismaClient();
- 
- app.get('/api/users/search', async (req, res) => {
-   const { name } = req.query;
-   const users = await prisma.$queryRaw`
-     SELECT * FROM "User" WHERE name LIKE '%${name}%'
-   `;
-   res.json(users);
- });
- // Attacker sends: name=' OR 1=1 --
+ import { PrismaClient, Prisma } from '@prisma/client';
+ const prisma = new PrismaClient();
+ 
+ app.get('/api/users/search', async (req, res) => {
+   const { name } = req.query;
+   const users = await prisma.$queryRaw(
+     Prisma.sql`SELECT * FROM "User" WHERE name LIKE ${`%${name}%`}`
+   );
+   res.json(users);
+ });

TypeORM SQL Injection in Raw Query CRITICAL

Use parameterized queries with positional (?) or named (:param) placeholders instead of string interpolation

+5 -5 javascript

  import { getManager } from 'typeorm';
  
  app.get('/api/users/search', async (req, res) => {
    const { name, role } = req.query;
    const manager = getManager();
    const users = await manager.query(
-     `SELECT * FROM users WHERE name = '${name}' AND role = '${role}'`
-   );
-   res.json(users);
- });
- // Attacker sends: name=' OR '1'='1' --
+     'SELECT * FROM users WHERE name = $1 AND role = $2',
+     [name, role]
+   );
+   res.json(users);
+ });

🐍 Python Alle anzeigen Python Details →

GraphQL Injection / Unsafe Query Construction HIGH

Use parameterized GraphQL queries with variables instead of string formatting

+3 -3 python

  from flask import request
  import graphene
  
  @app.route('/graphql', methods=['POST'])
  def graphql_endpoint():
-     user_id = request.json.get('id')
-     query = f'{{ user(id: "{user_id}") {{ name email }} }}'
-     result = schema.execute(query)
+     query = request.json.get('query')
+     variables = request.json.get('variables', {})
+     result = schema.execute(query, variables=variables)
      return jsonify(result.data)

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach SQL Injection-Mustern zu scannen. 7 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=89

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (7)

🟨 Javascript 4 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing into SQL queries without parameterization.

Prisma Raw Query SQL Injection CRITICAL

Using template literals instead of Prisma.sql`` in $queryRaw bypasses parameter binding and enables SQL injection.

TypeORM SQL Injection in Raw Query CRITICAL

Raw SQL queries with string concatenation or template literals bypass TypeORM's parameterization, enabling SQL injection attacks.

TypeORM Query Builder SQL Injection CRITICAL

QueryBuilder where clauses with template literals or concatenation bypass parameter binding, enabling SQL injection.

🔷 Typescript 4 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing into SQL queries without parameterization.

Prisma Raw Query SQL Injection CRITICAL

Using template literals instead of Prisma.sql`` in $queryRaw bypasses parameter binding and enables SQL injection.

TypeORM SQL Injection in Raw Query CRITICAL

Raw SQL queries with string concatenation or template literals bypass TypeORM's parameterization, enabling SQL injection attacks.

TypeORM Query Builder SQL Injection CRITICAL

QueryBuilder where clauses with template literals or concatenation bypass parameter binding, enabling SQL injection.

🐍 Python 2 rules

GraphQL Injection / Unsafe Query Construction HIGH

Detects unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introspection in production. These can lead to injection attacks, DoS via deeply nested queries, or information disclosure.

SQL Injection via Database Queries CRITICAL

Detects untrusted user input flowing into SQL database queries without proper parameterization.

🐹 Go 1 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing to SQL queries without parameterization.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle SQL Injection-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠

unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introsp python-graphql-injection

🔴

user input flowing to SQL queries without parameterization go-sql-injection

🔴

user input flowing into SQL queries without parameterization javascript-sql-injection

🔴

Raw SQL query uses untrusted input without proper parameterization. Use Prisma.sql`` template tag for safe parameter bin prisma-raw-query-injection

🔴

untrusted user input flowing into SQL database queries without proper parameterization python-sql-injection

🔴

Raw SQL query method uses untrusted input without parameterization. Use parameterized queries with ? or $1 placeholders. typeorm-sql-injection-raw-query

🔴

QueryBuilder clause uses string concatenation with untrusted input. Use parameter binding with :name or ? placeholders. typeorm-unsafe-query-builder

5 Code-Audit

Manuelle Review-Muster

Bei der manuellen Code-Review nach diesen gefährlichen Mustern suchen.

Warnsignale, nach denen man suchen sollte

query = + String-Verkettung

execute(f"... or execute("..." +

raw_query, rawQuery, executeRaw

${ or #{ innerhalb von SQL-Strings

6 Expertenanalyse

Wie Sicherheitsexperten denken

Das mentale Modell, das Sicherheitsexperten beim Review dieser Schwachstelle verwenden.

Einstiegspunkte kartieren

URL-Parameter, POST-Bodies, Header, Cookies, Datei-Uploads.

Datenfluss verfolgen

Verfolge die Eingabe durch den Code. Wird sie bereinigt?

Senken identifizieren

Where queries are executed: execute(), query()

Vertrauensgrenzen prüfen

Achte auf gespeicherte Daten, die in Abfragen verwendet werden.

🔍

Scanne deine Codebasis nach SQL Injection

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen