CWE-89 SQL Injection

What this means

SiteShadow flagged code that builds SQL using untrusted input without parameterization (string concatenation, interpolation, .format(), template literals, etc.).

Why it matters

• Data exposure: attackers can read sensitive rows (users, tokens, billing, PII).
• Data manipulation: attackers can update/delete data or escalate privileges.
• Auth bypass: many apps accidentally turn "query injection" into account takeover.

Safer examples

1) Use parameterized queries (Python)

cursor.execute("SELECT * FROM users WHERE email = %s", (email,))

2) Use parameterized queries (Node / pg)

await client.query("SELECT * FROM users WHERE email = $1", [email]);

3) If you must build dynamic SQL, only use allowlisted fragments

allowed = {"created_at", "email"}
order_by = order_by if order_by in allowed else "created_at"
sql = f"SELECT * FROM users ORDER BY {order_by} DESC"
cursor.execute(sql)  # only allowlisted identifiers are interpolated

How SiteShadow detects it (high level)

• Identifies query execution calls (ORM raw queries, execute, .query, .raw) combined with string building.
• Looks for user-controlled sources flowing into query strings (request params/body/query/env).
• Avoids flagging safe patterns when it can recognize parameterization APIs.

References

• CWE-89: https://cwe.mitre.org/data/definitions/89.html

---

← Back to Vulnerability Library