← Docs
Recipe

SQL Injection Prevention

Parameterize everything. Never concatenate user input into queries.

The Rule

Every SQL query that includes user-supplied data must use parameterized statements or an ORM that enforces them. String interpolation into SQL is the root cause of injection.

Bad

const query = "SELECT * FROM users WHERE id = '" + userId + "'"

Good

const query = "SELECT * FROM users WHERE id = ?"
db.execute(query, [userId])

Dynamic Identifiers

Table and column names cannot be parameterized. Whitelist them against a known set before interpolation.

const ALLOWED = new Set(["id", "email", "created_at"])
if (!ALLOWED.has(sortColumn)) throw new Error("invalid column")
const query = `SELECT * FROM users ORDER BY ${sortColumn}`

ORMs

ORMs prevent most injection by design, but raw query methods still require manual parameterization. Audit every .raw() call.