SQL injection from concatenated untrusted variables in node-postgres query string

Critical Risk sql-injection

javascriptnodejspostgresqlnode-postgrespgsql-injection

What it is

SQL injection vulnerability where the SQL statement is built via string concatenation, inserting untrusted data directly into the query instead of using node-postgres parameter placeholders and bound values, potentially allowing attackers to read or alter data, run arbitrary queries, or escalate database privileges.

Language:

Example:

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Untrusted variables are directly concatenated into SQL query strings instead of using placeholders.

Root causes

Variable String Concatenation

Untrusted variables are directly concatenated into SQL query strings instead of using placeholders.

Missing Parameter Placeholders

Failing to use node-postgres $1, $2, etc. placeholders and parameter arrays.

Fixes

Use Parameterized Queries with $n Placeholders

Replace string concatenation with $1, $2, ... placeholders and pass values separately.

View implementation

client.query('SELECT name FROM users WHERE id = $1', [userId])

Use Prepared Statements for Repeated Queries

For queries executed multiple times, use prepared statements for better performance and security.

View implementation

const statement = await client.prepare('SELECT * WHERE id = $1'); await statement.execute([id])

Validate Input Types and Ranges

Implement comprehensive validation for all variables used in database queries.

View implementation

Check that IDs are numbers, strings match expected patterns, validate against allow-lists

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from concatenated untrusted variables in node-postgres query string and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

SQL injection from concatenated untrusted variables in node-postgres query string

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Variable String Concatenation

Missing Parameter Placeholders

Fixes

Use Parameterized Queries with $n Placeholders

Use Prepared Statements for Repeated Queries

Validate Input Types and Ranges

SQL injection from AWS Lambda event data in Node pg query

SQL injection from function argument in mysql/mysql2 query in Node.js

SQL Injection

Detect This Vulnerability in Your Code

SQL injection from concatenated untrusted variables in node-postgres query string

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Variable String Concatenation

Missing Parameter Placeholders

Fixes

Use Parameterized Queries with $n Placeholders

Use Prepared Statements for Repeated Queries

Validate Input Types and Ranges

Related Vulnerabilities

SQL injection from AWS Lambda event data in Node pg query

SQL injection from function argument in mysql/mysql2 query in Node.js

SQL Injection

Detect This Vulnerability in Your Code