CRITICALCWE-89Injection
SQL Injection via Unsanitized Input
Description
User input is concatenated directly into SQL queries without parameterization, allowing attackers to manipulate query logic.
How Vezraa Detects It
We probe your API endpoints with SQL injection payloads and analyze error messages and response times for injection indicators.
Real-World Impact
Attackers can read, modify, or delete any data in your database, including user credentials, payment records, and business data.
Fix Example
// BAD — string concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;
// GOOD — parameterised query
const query = 'SELECT * FROM users WHERE id = $1';
db.query(query, [userId]);Affected Stacks
ExpressPHPRaw SQL queries