SQL Injection (CWE-89) - Security Vulnerability

Improper Neutralization of Special Elements used in an SQL Command

User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history.

Rozpowszechnienie

Very Common

OWASP Top 10 since 2010

Wplyw

Critical

Data breach, auth bypass, RCE

Zapobieganie

Well understood

Parameterized queries

2 Zapobieganie

Jak naprawić tę podatność

Strategie zapobiegania dla SQL Injection oparte na 7 regułach detekcji Shoulder.

🐹 Go Zobacz wszystko Go szczegóły →

SQL Injection via Database Queries CRITICAL

Use parameterized queries with $1 (PostgreSQL) or ? (MySQL/SQLite) placeholders

+1 -2 go

  func getUser(w http.ResponseWriter, r *http.Request) {
      userID := r.URL.Query().Get("id")
-     query := "SELECT * FROM users WHERE id = " + userID
-     rows, err := db.Query(query)
+     rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID)
      // ...
  }

🟨 JavaScript Zobacz wszystko JavaScript szczegóły →

SQL Injection via Database Queries CRITICAL

Use parameterized queries with placeholder syntax

+2 -2 javascript

- const query = `SELECT * FROM users WHERE id = '${req.params.id}'`;
- await db.query(query);
+ const query = 'SELECT * FROM users WHERE id = $1';
+ await db.query(query, [req.params.id]);

Prisma Raw Query SQL Injection CRITICAL

Use Prisma.sql tagged template for parameterized raw queries instead of regular template literals

+10 -11 javascript

- import { PrismaClient } from '@prisma/client';
- const prisma = new PrismaClient();
- 
- app.get('/api/users/search', async (req, res) => {
-   const { name } = req.query;
-   const users = await prisma.$queryRaw`
-     SELECT * FROM "User" WHERE name LIKE '%${name}%'
-   `;
-   res.json(users);
- });
- // Attacker sends: name=' OR 1=1 --
+ import { PrismaClient, Prisma } from '@prisma/client';
+ const prisma = new PrismaClient();
+ 
+ app.get('/api/users/search', async (req, res) => {
+   const { name } = req.query;
+   const users = await prisma.$queryRaw(
+     Prisma.sql`SELECT * FROM "User" WHERE name LIKE ${`%${name}%`}`
+   );
+   res.json(users);
+ });

TypeORM SQL Injection in Raw Query CRITICAL

Use parameterized queries with positional (?) or named (:param) placeholders instead of string interpolation

+5 -5 javascript

  import { getManager } from 'typeorm';
  
  app.get('/api/users/search', async (req, res) => {
    const { name, role } = req.query;
    const manager = getManager();
    const users = await manager.query(
-     `SELECT * FROM users WHERE name = '${name}' AND role = '${role}'`
-   );
-   res.json(users);
- });
- // Attacker sends: name=' OR '1'='1' --
+     'SELECT * FROM users WHERE name = $1 AND role = $2',
+     [name, role]
+   );
+   res.json(users);
+ });

🐍 Python Zobacz wszystko Python szczegóły →

GraphQL Injection / Unsafe Query Construction HIGH

Use parameterized GraphQL queries with variables instead of string formatting

+3 -3 python

  from flask import request
  import graphene
  
  @app.route('/graphql', methods=['POST'])
  def graphql_endpoint():
-     user_id = request.json.get('id')
-     query = f'{{ user(id: "{user_id}") {{ name email }} }}'
-     result = schema.execute(query)
+     query = request.json.get('query')
+     variables = request.json.get('variables', {})
+     result = schema.execute(query, variables=variables)
      return jsonify(result.data)

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow SQL Injection. 7 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=89

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (7)

🟨 Javascript 4 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing into SQL queries without parameterization.

Prisma Raw Query SQL Injection CRITICAL

Using template literals instead of Prisma.sql`` in $queryRaw bypasses parameter binding and enables SQL injection.

TypeORM SQL Injection in Raw Query CRITICAL

Raw SQL queries with string concatenation or template literals bypass TypeORM's parameterization, enabling SQL injection attacks.

TypeORM Query Builder SQL Injection CRITICAL

QueryBuilder where clauses with template literals or concatenation bypass parameter binding, enabling SQL injection.

🔷 Typescript 4 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing into SQL queries without parameterization.

Prisma Raw Query SQL Injection CRITICAL

Using template literals instead of Prisma.sql`` in $queryRaw bypasses parameter binding and enables SQL injection.

TypeORM SQL Injection in Raw Query CRITICAL

Raw SQL queries with string concatenation or template literals bypass TypeORM's parameterization, enabling SQL injection attacks.

TypeORM Query Builder SQL Injection CRITICAL

QueryBuilder where clauses with template literals or concatenation bypass parameter binding, enabling SQL injection.

🐍 Python 2 rules

GraphQL Injection / Unsafe Query Construction HIGH

Detects unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introspection in production. These can lead to injection attacks, DoS via deeply nested queries, or information disclosure.

SQL Injection via Database Queries CRITICAL

Detects untrusted user input flowing into SQL database queries without proper parameterization.

🐹 Go 1 rules

SQL Injection via Database Queries CRITICAL

Detects user input flowing to SQL queries without parameterization.

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci SQL Injection. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠

unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introsp python-graphql-injection

🔴

user input flowing to SQL queries without parameterization go-sql-injection

🔴

user input flowing into SQL queries without parameterization javascript-sql-injection

🔴

Raw SQL query uses untrusted input without proper parameterization. Use Prisma.sql`` template tag for safe parameter bin prisma-raw-query-injection

🔴

untrusted user input flowing into SQL database queries without proper parameterization python-sql-injection

🔴

Raw SQL query method uses untrusted input without parameterization. Use parameterized queries with ? or $1 placeholders. typeorm-sql-injection-raw-query

🔴

QueryBuilder clause uses string concatenation with untrusted input. Use parameter binding with :name or ? placeholders. typeorm-unsafe-query-builder

5 Audyt kodu

Wzorce do ręcznego przeglądu

Podczas ręcznego przeglądu kodu szukaj tych niebezpiecznych wzorców.

Sygnały ostrzegawcze, których szukać

query = + konkatenacja łańcuchów

execute(f"... or execute("..." +

raw_query, rawQuery, executeRaw

${ or #{ wewnątrz łańcuchów SQL

6 Analiza eksperta

Jak myślą eksperci ds. bezpieczeństwa

Model myślowy, którego specjaliści ds. bezpieczeństwa używają podczas przeglądu tej podatności.

Zmapuj punkty wejścia

Parametry URL, ciała POST, nagłówki, cookies, przesyłanie plików.

Śledź przepływ danych

Śledź wejście przez kod. Czy jest sanitizowane?

Zidentyfikuj punkty końcowe (sinks)

Where queries are executed: execute(), query()

Sprawdź granice zaufania

Uważaj na przechowywane dane używane w zapytaniach.

🔍

Przeskanuj swój kod w poszukiwaniu SQL Injection

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły