typescript.sql_injection

Correctness Critical Common in Incidents

Detects SQL queries built with string concatenation or template literals.

Why It Matters

SQL injection enables attackers to:

• Steal data — Read your entire database
• Modify data — Update, delete, or corrupt records
• Bypass authentication — Log in as any user
• Escalate privileges — Gain admin access

Template literals make it easy to write vulnerable code.

Example

// ❌ Before
const query = `SELECT * FROM users WHERE id = ${userId}`;
await db.query(query);

// Also bad
const query = "SELECT * FROM users WHERE name = '" + name + "'";

// ✅ After
await db.query('SELECT * FROM users WHERE id = $1', [userId]);

// Or with an ORM
const user = await User.findOne({ where: { id: userId } });

What Unfault Detects

• Template literals with SQL keywords and variables
• String concatenation in query strings
• Missing parameterized queries in known DB libraries

Auto-Fix

Unfault can convert vulnerable queries to parameterized form when the transformation pattern is clear.

Note

Unfault avoids flagging queries built with safe ORMs like Prisma, or tagged template literals from libraries like pg-promise that handle escaping.

ORM Patterns

// Prisma (safe by default)
const user = await prisma.user.findUnique({
    where: { id: userId }
});

// TypeORM (use parameters)
const user = await userRepository
    .createQueryBuilder('user')
    .where('user.id = :id', { id: userId })
    .getOne();

// Knex (use parameters)
const user = await knex('users')
    .where('id', userId)
    .first();

// Raw query with parameters
await knex.raw('SELECT * FROM users WHERE id = ?', [userId]);

Related Rules

• python.sql_injection
• go.sql_injection
• rust.sql_injection