Improper Neutralization of Special Elements used in an SQL Command
User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history.
普遍性
Very Common
OWASP Top 10 since 2010
影响
Critical
Data breach, auth bypass, RCE
预防
Well understood
Parameterized queries
2 预防
2 预防
如何修复此漏洞
基于 7 条 Shoulder 检测规则的 SQL Injection 预防策略。
Go
查看全部 Go 详情 →
SQL Injection via Database Queries
CRITICAL
Use parameterized queries with $1 (PostgreSQL) or ? (MySQL/SQLite) placeholders
func getUser(w http.ResponseWriter, r *http.Request) { userID := r.URL.Query().Get("id") - query := "SELECT * FROM users WHERE id = " + userID - rows, err := db.Query(query) + rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID) // ... }
JavaScript
查看全部 JavaScript 详情 →
SQL Injection via Database Queries
CRITICAL
Use parameterized queries with placeholder syntax
- const query = `SELECT * FROM users WHERE id = '${req.params.id}'`; - await db.query(query); + const query = 'SELECT * FROM users WHERE id = $1'; + await db.query(query, [req.params.id]);
Prisma Raw Query SQL Injection
CRITICAL
Use Prisma.sql tagged template for parameterized raw queries instead of regular template literals
- import { PrismaClient } from '@prisma/client'; - const prisma = new PrismaClient(); - - app.get('/api/users/search', async (req, res) => { - const { name } = req.query; - const users = await prisma.$queryRaw` - SELECT * FROM "User" WHERE name LIKE '%${name}%' - `; - res.json(users); - }); - // Attacker sends: name=' OR 1=1 -- + import { PrismaClient, Prisma } from '@prisma/client'; + const prisma = new PrismaClient(); + + app.get('/api/users/search', async (req, res) => { + const { name } = req.query; + const users = await prisma.$queryRaw( + Prisma.sql`SELECT * FROM "User" WHERE name LIKE ${`%${name}%`}` + ); + res.json(users); + });
TypeORM SQL Injection in Raw Query
CRITICAL
Use parameterized queries with positional (?) or named (:param) placeholders instead of string interpolation
import { getManager } from 'typeorm'; app.get('/api/users/search', async (req, res) => { const { name, role } = req.query; const manager = getManager(); const users = await manager.query( - `SELECT * FROM users WHERE name = '${name}' AND role = '${role}'` - ); - res.json(users); - }); - // Attacker sends: name=' OR '1'='1' -- + 'SELECT * FROM users WHERE name = $1 AND role = $2', + [name, role] + ); + res.json(users); + });
Python
查看全部 Python 详情 →
GraphQL Injection / Unsafe Query Construction
HIGH
Use parameterized GraphQL queries with variables instead of string formatting
from flask import request import graphene @app.route('/graphql', methods=['POST']) def graphql_endpoint(): - user_id = request.json.get('id') - query = f'{{ user(id: "{user_id}") {{ name email }} }}' - result = schema.execute(query) + query = request.json.get('query') + variables = request.json.get('variables', {}) + result = schema.execute(query, variables=variables) return jsonify(result.data)
3 检测
3 检测
查找代码中的漏洞
使用Shoulder扫描代码中的SQL Injection模式。 7 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=89 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (7)
🟨
Javascript
4 rules
SQL Injection via Database Queries
CRITICAL
Detects user input flowing into SQL queries without parameterization.
Prisma Raw Query SQL Injection
CRITICAL
Using template literals instead of Prisma.sql`` in $queryRaw bypasses
parameter binding and enables SQL injection.
TypeORM SQL Injection in Raw Query
CRITICAL
Raw SQL queries with string concatenation or template literals bypass TypeORM's
parameterization, enabling SQL injection attacks.
TypeORM Query Builder SQL Injection
CRITICAL
QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.
🔷
Typescript
4 rules
SQL Injection via Database Queries
CRITICAL
Detects user input flowing into SQL queries without parameterization.
Prisma Raw Query SQL Injection
CRITICAL
Using template literals instead of Prisma.sql`` in $queryRaw bypasses
parameter binding and enables SQL injection.
TypeORM SQL Injection in Raw Query
CRITICAL
Raw SQL queries with string concatenation or template literals bypass TypeORM's
parameterization, enabling SQL injection attacks.
TypeORM Query Builder SQL Injection
CRITICAL
QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.
🐍
Python
2 rules
GraphQL Injection / Unsafe Query Construction
HIGH
Detects unsafe GraphQL query construction with user input, missing query depth
limiting, or disabled introspection in production. These can lead to injection
attacks, DoS via deeply nested queries, or information disclosure.
SQL Injection via Database Queries
CRITICAL
Detects untrusted user input flowing into SQL database queries without proper
parameterization.
4 警告信号
4 警告信号
代码审查中需要关注的内容
这些模式表明潜在的SQL Injection漏洞。在代码审查和安全审计中注意查找。
unsafe GraphQL query construction with user input, missing query depth
limiting, or disabled introsp
python-graphql-injection
user input flowing to SQL queries without parameterization
go-sql-injection
user input flowing into SQL queries without parameterization
javascript-sql-injection
Raw SQL query uses untrusted input without proper parameterization. Use Prisma.sql`` template tag for safe parameter bin
prisma-raw-query-injection
untrusted user input flowing into SQL database queries without proper
parameterization
python-sql-injection
Raw SQL query method uses untrusted input without parameterization. Use parameterized queries with ? or $1 placeholders.
typeorm-sql-injection-raw-query
QueryBuilder clause uses string concatenation with untrusted input. Use parameter binding with :name or ? placeholders.
typeorm-unsafe-query-builder
5 代码审计
5 代码审计
手动审查模式
手动审查代码时,寻找这些危险模式。
需要搜索的危险信号
query = + 字符串拼接execute(f"... or execute("..." +raw_query, rawQuery, executeRaw${ or #{ 在 SQL 字符串内部
6 专家分析
6 专家分析
安全专家的思维方式
安全专业人员审查此漏洞时使用的思维模型。
1
映射入口点
URL 参数、POST 主体、标头、cookie、文件上传。
2
跟踪数据流
跟踪输入在代码中的流转。它是否经过净化?
3
识别汇点
Where queries are executed: execute(), query()
4
检查信任边界
注意在查询中使用的已存储数据。