SQL Injection (CWE-89) - Security Vulnerability

Improper Neutralization of Special Elements used in an SQL Command

User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history.

Prevalencia

Very Common

OWASP Top 10 since 2010

Impacto

Critical

Data breach, auth bypass, RCE

Prevención

Well understood

Parameterized queries

2 Prevención

Cómo corregir esta vulnerabilidad

Estrategias de prevención para SQL Injection basadas en 7 reglas de detección de Shoulder.

🐹 Go Ver todo Go detalles →

SQL Injection via Database Queries CRITICAL

Use parameterized queries with $1 (PostgreSQL) or ? (MySQL/SQLite) placeholders

+1 -2 go

  func getUser(w http.ResponseWriter, r *http.Request) {
      userID := r.URL.Query().Get("id")
-     query := "SELECT * FROM users WHERE id = " + userID
-     rows, err := db.Query(query)
+     rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID)
      // ...
  }

🟨 JavaScript Ver todo JavaScript detalles →

SQL Injection via Database Queries CRITICAL

Use parameterized queries with placeholder syntax

+2 -2 javascript

- const query = `SELECT * FROM users WHERE id = '${req.params.id}'`;
- await db.query(query);
+ const query = 'SELECT * FROM users WHERE id = $1';
+ await db.query(query, [req.params.id]);

Prisma Raw Query SQL Injection CRITICAL

Use Prisma.sql tagged template for parameterized raw queries instead of regular template literals

+10 -11 javascript

- import { PrismaClient } from '@prisma/client';
- const prisma = new PrismaClient();
- 
- app.get('/api/users/search', async (req, res) => {
-   const { name } = req.query;
-   const users = await prisma.$queryRaw`
-     SELECT * FROM "User" WHERE name LIKE '%${name}%'
-   `;
-   res.json(users);
- });
- // Attacker sends: name=' OR 1=1 --
+ import { PrismaClient, Prisma } from '@prisma/client';
+ const prisma = new PrismaClient();
+ 
+ app.get('/api/users/search', async (req, res) => {
+   const { name } = req.query;
+   const users = await prisma.$queryRaw(
+     Prisma.sql`SELECT * FROM "User" WHERE name LIKE ${`%${name}%`}`
+   );
+   res.json(users);
+ });

TypeORM SQL Injection in Raw Query CRITICAL

Use parameterized queries with positional (?) or named (:param) placeholders instead of string interpolation

+5 -5 javascript

  import { getManager } from 'typeorm';
  
  app.get('/api/users/search', async (req, res) => {
    const { name, role } = req.query;
    const manager = getManager();
    const users = await manager.query(
-     `SELECT * FROM users WHERE name = '${name}' AND role = '${role}'`
-   );
-   res.json(users);
- });
- // Attacker sends: name=' OR '1'='1' --
+     'SELECT * FROM users WHERE name = $1 AND role = $2',
+     [name, role]
+   );
+   res.json(users);
+ });

🐍 Python Ver todo Python detalles →

GraphQL Injection / Unsafe Query Construction HIGH

Use parameterized GraphQL queries with variables instead of string formatting

+3 -3 python

  from flask import request
  import graphene
  
  @app.route('/graphql', methods=['POST'])
  def graphql_endpoint():
-     user_id = request.json.get('id')
-     query = f'{{ user(id: "{user_id}") {{ name email }} }}'
-     result = schema.execute(query)
+     query = request.json.get('query')
+     variables = request.json.get('variables', {})
+     result = schema.execute(query, variables=variables)
      return jsonify(result.data)

3 Detección

Encuentra vulnerabilidades en tu código

Usa Shoulder para escanear tu código en busca de patrones SQL Injection. 7 reglas.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=89

# Or scan entire project
npx @shoulderdev/cli trust .

Reglas de Detección (7)

🟨 Javascript 4 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing into SQL queries without parameterization.

Prisma Raw Query SQL Injection CRITICAL

Using template literals instead of Prisma.sql`` in $queryRaw bypasses parameter binding and enables SQL injection.

TypeORM SQL Injection in Raw Query CRITICAL

Raw SQL queries with string concatenation or template literals bypass TypeORM's parameterization, enabling SQL injection attacks.

TypeORM Query Builder SQL Injection CRITICAL

QueryBuilder where clauses with template literals or concatenation bypass parameter binding, enabling SQL injection.

🔷 Typescript 4 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing into SQL queries without parameterization.

Prisma Raw Query SQL Injection CRITICAL

Using template literals instead of Prisma.sql`` in $queryRaw bypasses parameter binding and enables SQL injection.

TypeORM SQL Injection in Raw Query CRITICAL

Raw SQL queries with string concatenation or template literals bypass TypeORM's parameterization, enabling SQL injection attacks.

TypeORM Query Builder SQL Injection CRITICAL

QueryBuilder where clauses with template literals or concatenation bypass parameter binding, enabling SQL injection.

🐍 Python 2 rules

GraphQL Injection / Unsafe Query Construction HIGH

Detects unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introspection in production. These can lead to injection attacks, DoS via deeply nested queries, or information disclosure.

SQL Injection via Database Queries CRITICAL

Detects untrusted user input flowing into SQL database queries without proper parameterization.

🐹 Go 1 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing to SQL queries without parameterization.

4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de SQL Injection. Búscalos durante las revisiones de código y auditorías de seguridad.

🟠

unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introsp python-graphql-injection

🔴

user input flowing to SQL queries without parameterization go-sql-injection

🔴

user input flowing into SQL queries without parameterization javascript-sql-injection

🔴

Raw SQL query uses untrusted input without proper parameterization. Use Prisma.sql`` template tag for safe parameter bin prisma-raw-query-injection

🔴

untrusted user input flowing into SQL database queries without proper parameterization python-sql-injection

🔴

Raw SQL query method uses untrusted input without parameterization. Use parameterized queries with ? or $1 placeholders. typeorm-sql-injection-raw-query

🔴

QueryBuilder clause uses string concatenation with untrusted input. Use parameter binding with :name or ? placeholders. typeorm-unsafe-query-builder

5 Auditoría de código

Patrones de revisión manual

Al revisar código manualmente, busca estos patrones peligrosos.

Señales de alerta a buscar

query = + concatenación de cadenas

execute(f"... or execute("..." +

raw_query, rawQuery, executeRaw

${ or #{ dentro de cadenas SQL

6 Análisis experto

Cómo piensan los expertos en seguridad

El modelo mental que usan los profesionales de seguridad al revisar esta vulnerabilidad.

Mapea los puntos de entrada

Parámetros de URL, cuerpos POST, encabezados, cookies, subidas de archivos.

Rastrea el flujo de datos

Sigue la entrada a través del código. ¿Se sanea?

Identifica los sumideros

Where queries are executed: execute(), query()

Verifica los límites de confianza

Vigila los datos almacenados que se usan en consultas.

🔍

Escanea tu base de código para SQL Injection

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas