Typescript Sql Injection Untrusted Input
Description
SQL injection vulnerabilities occur when untrusted user input is directly incorporated into SQL queries without proper sanitization. This allows attackers to modify or manipulate the intended SQL query, potentially enabling unauthorized data access, data modification, or execution of malicious commands on the database.
Detection Strategy
• Identifies SQL query operations in the source code that accept dynamic input parameters
• Traces data flow to determine if untrusted sources (like user input, HTTP parameters, or file content) reach SQL operations
• Checks if the data passes through any SQL escaping or sanitization functions before being used in queries
• Reports a vulnerability when untrusted input flows into SQL operations without adequate sanitization or parameterization
Vulnerable code example
import mysql from 'mysql';
import { Request, Response } from 'express';
function login(req: Request, res: Response): void {
const email: string = req.body.email;
const password: string = req.body.password;
// Vulnerable: Direct string concatenation of user input into SQL query...✅ Secure code example
import mysql from 'mysql';
import crypto from 'crypto';
import { Request, Response } from 'express';
function login(req: Request, res: Response): void {
const email: string = req.body.email;
const password: string = req.body.password;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.