SQL injection from function argument in mysql/mysql2 query in Node.js

Critical Risk sql-injection
javascriptnodejsmysqlmysql2sql-injection

What it is

SQL injection vulnerability where a function argument is embedded into SQL for mysql/mysql2 without parameters, potentially allowing attackers to read or modify database records, escalate privileges, or execute administrative operations through attacker-controlled content that alters the query structure.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Function parameters are directly interpolated or concatenated into SQL query strings.

Root causes

Function Argument String Interpolation

Function parameters are directly interpolated or concatenated into SQL query strings.

Missing Parameter Binding

Failing to use mysql/mysql2 parameterized query capabilities with placeholders.

Fixes

1

Use Parameterized Queries with Placeholders

Use ? placeholders and pass values in a separate array to mysql/mysql2 query or execute methods.

View implementation 
connection.execute('SELECT * FROM users WHERE id = ?', [userId])
2

Validate and Cast Inputs

Validate function arguments and cast them to expected types before using in database queries.

View implementation 
Check that IDs are numbers, strings match expected patterns, validate against allow-lists
3

Use Connection Pooling Safely

When using connection pools, ensure all queries use parameterization consistently.

View implementation 
pool.execute() with placeholders instead of pool.query() with concatenated strings

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from function argument in mysql/mysql2 query in node.js and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities