SQL injection from variable concatenation in mssql query string

Critical Risk sql-injection
javascriptnodejsmssqlsql-serversql-injection

What it is

SQL injection vulnerability where SQL strings are built by concatenating non-literal variables into mssql queries without parameters, potentially allowing attackers to alter queries, exfiltrate data, or run dangerous database functions.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Non-literal variables are directly concatenated into SQL query strings for mssql operations.

Root causes

Variable String Concatenation

Non-literal variables are directly concatenated into SQL query strings for mssql operations.

Missing Parameter Binding

Failing to use mssql's parameterized query capabilities with proper input binding.

Fixes

1

Use Parameterized Queries with request.input()

Bind values using request.input(name, type, value) and reference @params in SQL strings.

View implementation 
request.input('userId', sql.Int, userId); request.query('SELECT * FROM users WHERE id = @userId')
2

Use Prepared Statements

For repeated queries, use sql.PreparedStatement with typed parameters for better performance and security.

View implementation 
const ps = new sql.PreparedStatement(pool); ps.input('id', sql.Int); await ps.prepare('SELECT * WHERE id = @id')
3

Remove String Concatenation

Eliminate all string concatenation from query construction and use only parameter binding.

View implementation 
Replace query building logic with proper parameter binding and validation

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from variable concatenation in mssql query string and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities