# TypeORM Query Builder SQL Injection

- ID: typeorm-unsafe-query-builder
- Severity: CRITICAL
- CWE: SQL Injection (CWE-89)
- Languages: JavaScript, TypeScript
- Frameworks: typeorm

## Description

QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.

## Detection Message

QueryBuilder clause uses string concatenation with untrusted input. Use parameter binding with :name or ? placeholders.

## Remediation

Use named parameters in QueryBuilder where clauses.

```typescript
const users = await repository
  .createQueryBuilder('user')
  .where('user.role = :role', { role })
  .getMany();
```

Learn more: https://shoulder.dev/learn/typescript/cwe-89/unsafe-query-builder

## Documentation

[object Object]

## Related Rules

- **SQL Injection via Database Queries** [CRITICAL]: 
- **SQL Injection via Database Queries** [CRITICAL]: 
- **Prisma Raw Query SQL Injection** [CRITICAL]: 
- **GraphQL Injection / Unsafe Query Construction** [HIGH]: 
- **SQL Injection via Database Queries** [CRITICAL]: