# SQL Injection (CWE-89)

User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history.

**Stack:** Go

- Prevalence: Very Common OWASP Top 10 since 2010
- Impact: Critical Data breach, auth bypass, RCE
- Prevention: Well understood Parameterized queries

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database.

## Prevention

1 件の Shoulder 検出ルールに基づく SQL Injection の予防策。

### Go

Use parameterized queries with $1 (PostgreSQL) or ? (MySQL/SQLite) placeholders

## Warning Signs

- [CRITICAL] user input flowing to SQL queries without parameterization

## Consequences

- アプリケーションデータの読み取り
- アプリケーションデータの変更
- 保護メカニズムの回避
- 未承認コマンドの実行

## Mitigations

- パラメータ化クエリまたはプリペアドステートメントを使用する
- パラメータ化クエリでストアドプロシージャを使用する
- ユーザー入力はすべて、データベース固有のエスケープルーチンでエスケープする

## Detection

- Total rules: 7
- Critical: 6
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **SQL Injection via Database Queries** [CRITICAL]: Detects user input flowing to SQL queries without parameterization.
  - Remediation: Use parameterized queries with placeholders instead of string concatenation.

```go
rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID)
```

Learn more: https://shoulder.dev/learn/go/cwe-89/sql-injection