CRITICALSecuritymediumNext.js

Never Build Database Queries with String Concatenation

String concatenation in database queries creates injection vulnerabilities. Always use parameterized queries or ORM query builders. [CWE-89 · A03:2021]

Why This Matters

prevents SQL injection and NoSQL injection attacks

Related Rules

Add Error Boundaries Around Unreliable Content

Architecture

MEDIUM

Break Up God Components Into Focused, Composable Units

Architecture

MEDIUM

Use next/image Instead of Raw img Tags

Performance

HIGH

Always Return Cleanup Functions from useEffect

Performance

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 6+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Never Build Database Queries with String Concatenation

Impact: CRITICAL (prevents SQL injection and NoSQL injection attacks)

Constructing database queries by concatenating or interpolating user input creates injection vulnerabilities. This applies to raw SQL, ORM queries with raw segments, and NoSQL operations. Always use parameterized queries or ORM methods that handle escaping.

Incorrect (string interpolation in raw SQL):

// ❌ Direct interpolation — classic SQL injection vector
export async function getUser(name: string) {
  const result = await prisma.$queryRaw`
    SELECT * FROM users WHERE name = '${name}'
  `
  return result
}
 
// ❌ String concatenation in query builder
export async function searchProducts(term: string) {
  const query = `SELECT * FROM products WHERE name LIKE '%${term}%'`
  const result = await db.execute(query)
  return result
}

Correct (parameterized queries):

// ✅ Prisma tagged template (auto-parameterized)
export async function getUser(name: string) {
  const result = await prisma.$queryRaw(
    Prisma.sql`SELECT * FROM users WHERE name = ${name}`
  )
  return result
}
 
// ✅ Better: use the ORM's query builder
export async function getUser(name: string) {
  return prisma.user.findFirst({
    where: { name },
  })
}
 
// ✅ Drizzle parameterized query
export async function searchProducts(term: string) {
  return db
    .select()
    .from(products)
    .where(like(products.name, `%${term}%`))
}

Also watch for Supabase:

// ❌ String interpolation in Supabase RPC
const { data } = await supabase.rpc('search_users', {
  query: `%${userInput}%`  // Could be safe depending on the function, but risky pattern
})
 
// ✅ Use Supabase query builder
const { data } = await supabase
  .from('users')
  .select('*')
  .ilike('name', `%${userInput}%`)  // Properly parameterized by the SDK

Detection hints:

# Find potential SQL injection patterns
grep -rn '\$queryRaw`' src/ --include="*.ts" --include="*.tsx" | grep '\${'
grep -rn "execute(" src/ --include="*.ts" | grep -E "(\+|concat|\`)"
grep -rn "query(" src/ --include="*.ts" | grep -E "(\+|concat|\`)"

Reference: OWASP SQL Injection Prevention · Prisma Raw Queries