← Back to Docs
Recipe

SQL injection defense

Parameterize everything. Never concatenate user input into queries.

The rule

Every SQL query that includes user-supplied data must use parameterized statements. No exceptions. String concatenation with user input is a vulnerability — full stop.

Wrong

// NEVER do this
const query = "SELECT * FROM users WHERE id = '" + userId + "'";
db.execute(query);

Right

// Parameterized — safe
const query = "SELECT * FROM users WHERE id = ?";
db.execute(query, [userId]);

Dynamic table/column names

When you must parameterize identifiers (table names, column names), validate against a strict allowlist before interpolation.

const ALLOWED = new Set(["id", "email", "created_at"]);
if (!ALLOWED.has(sortColumn)) throw new Error("Invalid column");
const query = `SELECT * FROM users ORDER BY ${sortColumn} DESC`;

ORM considerations

ORMs prevent most injection, but raw query methods still accept unsanitized strings. Audit every .raw() or.query() call.

Meridian Docs · Last updated 2026-05-26