# SQL Injection via Database Queries

- ID: javascript-sql-injection
- Severity: CRITICAL
- CWE: SQL Injection (CWE-89)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs, lambda, serverless, graphql

## Description

Detects user input flowing into SQL queries without parameterization.

## Detection Message

Untrusted input from {source} reaches SQL query at:
   Code: {sink_code}
This allows an attacker to manipulate database queries and access unauthorized data.

## Remediation

Use parameterized queries with placeholders.

```javascript
db.query('SELECT * FROM users WHERE id = ?', [userId]);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-89/sql-injection

## Documentation

[object Object]

## Related Rules

- **SQL Injection via Database Queries** [CRITICAL]: 
- **Prisma Raw Query SQL Injection** [CRITICAL]: 
- **GraphQL Injection / Unsafe Query Construction** [HIGH]: 
- **SQL Injection via Database Queries** [CRITICAL]: 
- **TypeORM SQL Injection in Raw Query** [CRITICAL]: