BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
🗃️

SQL Injection

🛡️ 7 rules detect this

Improper Neutralization of Special Elements used in an SQL Command

User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history.

Prevalence
Very Common
OWASP Top 10 since 2010
Impact
Critical
Data breach, auth bypass, RCE
Prevention
Well understood
Parameterized queries
2 Prevention
2 Prevention

How to fix this vulnerability

Prevention strategies for SQL Injection based on 7 Shoulder detection rules.

🐹 Go View all Go details →
SQL Injection via Database Queries CRITICAL

Use parameterized queries with $1 (PostgreSQL) or ? (MySQL/SQLite) placeholders

+1 -2 go 
  func getUser(w http.ResponseWriter, r *http.Request) {
      userID := r.URL.Query().Get("id")
-     query := "SELECT * FROM users WHERE id = " + userID
-     rows, err := db.Query(query)
+     rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID)
      // ...
  }
🟨 JavaScript View all JavaScript details →
SQL Injection via Database Queries CRITICAL

Use parameterized queries with placeholder syntax

+2 -2 javascript 
- const query = `SELECT * FROM users WHERE id = '${req.params.id}'`;
- await db.query(query);
+ const query = 'SELECT * FROM users WHERE id = $1';
+ await db.query(query, [req.params.id]);
Prisma Raw Query SQL Injection CRITICAL

Use Prisma.sql tagged template for parameterized raw queries instead of regular template literals

+10 -11 javascript 
- import { PrismaClient } from '@prisma/client';
- const prisma = new PrismaClient();
- 
- app.get('/api/users/search', async (req, res) => {
-   const { name } = req.query;
-   const users = await prisma.$queryRaw`
-     SELECT * FROM "User" WHERE name LIKE '%${name}%'
-   `;
-   res.json(users);
- });
- // Attacker sends: name=' OR 1=1 --
+ import { PrismaClient, Prisma } from '@prisma/client';
+ const prisma = new PrismaClient();
+ 
+ app.get('/api/users/search', async (req, res) => {
+   const { name } = req.query;
+   const users = await prisma.$queryRaw(
+     Prisma.sql`SELECT * FROM "User" WHERE name LIKE ${`%${name}%`}`
+   );
+   res.json(users);
+ });
TypeORM SQL Injection in Raw Query CRITICAL

Use parameterized queries with positional (?) or named (:param) placeholders instead of string interpolation

+5 -5 javascript 
  import { getManager } from 'typeorm';
  
  app.get('/api/users/search', async (req, res) => {
    const { name, role } = req.query;
    const manager = getManager();
    const users = await manager.query(
-     `SELECT * FROM users WHERE name = '${name}' AND role = '${role}'`
-   );
-   res.json(users);
- });
- // Attacker sends: name=' OR '1'='1' --
+     'SELECT * FROM users WHERE name = $1 AND role = $2',
+     [name, role]
+   );
+   res.json(users);
+ });
🐍 Python View all Python details →
GraphQL Injection / Unsafe Query Construction HIGH

Use parameterized GraphQL queries with variables instead of string formatting

+3 -3 python 
  from flask import request
  import graphene
  
  @app.route('/graphql', methods=['POST'])
  def graphql_endpoint():
-     user_id = request.json.get('id')
-     query = f'{{ user(id: "{user_id}") {{ name email }} }}'
-     result = schema.execute(query)
+     query = request.json.get('query')
+     variables = request.json.get('variables', {})
+     result = schema.execute(query, variables=variables)
      return jsonify(result.data)
3 Detection
3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for SQL Injection patterns. 7 rules.

terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=89

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (7)

4 Warning Signs
4 Warning Signs

What to watch for in code reviews

These patterns indicate potential SQL Injection vulnerabilities. Look for these during code reviews and security audits.

🟠
unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introsp python-graphql-injection
🔴
user input flowing to SQL queries without parameterization go-sql-injection
🔴
user input flowing into SQL queries without parameterization javascript-sql-injection
🔴
Raw SQL query uses untrusted input without proper parameterization. Use Prisma.sql`` template tag for safe parameter bin prisma-raw-query-injection
🔴
untrusted user input flowing into SQL database queries without proper parameterization python-sql-injection
🔴
Raw SQL query method uses untrusted input without parameterization. Use parameterized queries with ? or $1 placeholders. typeorm-sql-injection-raw-query
🔴
QueryBuilder clause uses string concatenation with untrusted input. Use parameter binding with :name or ? placeholders. typeorm-unsafe-query-builder
5 Code audit
5 Code audit

Manual review patterns

When reviewing code manually, search for these dangerous patterns.

Red flags to search for
query = + string concatenation
execute(f"... or execute("..." +
raw_query, rawQuery, executeRaw
${ or #{ inside SQL strings
6 Expert analysis
6 Expert analysis

How security experts think

The mental model security professionals use when reviewing for this vulnerability.

1

Map entry points

URL params, POST bodies, headers, cookies, file uploads.

2

Trace data flow

Follow input through the code. Does it get sanitized?

3

Identify sinks

Where queries are executed: execute(), query()

4

Check trust boundaries

Watch for stored data used in queries.

🔍

Scan your codebase for SQL Injection

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules
Related vulnerabilities
CWE-943 NoSQL Injection MongoDB, DynamoDB CWE-78 Command Injection OS command execution CWE-90 LDAP Injection Directory services CWE-643 XPath Injection XML data queries