Skip to content
← Back to Vulnerability Database
CRITICALCWE-89Injection

SQL Injection via Unsanitized Input

Description

User input is concatenated directly into SQL queries without parameterization, allowing attackers to manipulate query logic.

How Vezraa Detects It

We probe your API endpoints with SQL injection payloads and analyze error messages and response times for injection indicators.

Real-World Impact

Attackers can read, modify, or delete any data in your database, including user credentials, payment records, and business data.

Fix Example

// BAD — string concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD — parameterised query
const query = 'SELECT * FROM users WHERE id = $1';
db.query(query, [userId]);

Affected Stacks

ExpressPHPRaw SQL queries

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

SQL Injection via Unsanitized Input — Vulnerability Database | Vezraa