# SQL Injection via Database Queries

- ID: go-sql-injection
- Severity: CRITICAL
- CWE: SQL Injection (CWE-89)
- Languages: Go
- Frameworks: stdlib, gin, echo, fiber, chi, gorilla

## Description

Detects user input flowing to SQL queries without parameterization.

## Detection Message

Untrusted input from {source} reaches SQL query at:
   Code: {sink_code}
This allows an attacker to manipulate database queries and access unauthorized data.

## Remediation

Use parameterized queries with placeholders instead of string concatenation.

```go
rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID)
```

Learn more: https://shoulder.dev/learn/go/cwe-89/sql-injection

## Documentation

[object Object]

## Related Rules

- **SQL Injection via Database Queries** [CRITICAL]: 
- **Prisma Raw Query SQL Injection** [CRITICAL]: 
- **GraphQL Injection / Unsafe Query Construction** [HIGH]: 
- **SQL Injection via Database Queries** [CRITICAL]: 
- **TypeORM SQL Injection in Raw Query** [CRITICAL]: