Use prepared, parameterized statements

Use prepared, parameterized statements | BeforeMerge Rules | BeforeMerge

Why this matters

Concatenating untrusted input into SQL allows attackers to alter query structure (SQL injection), reading or destroying data. Parameterized statements send the query and data separately, so input can never be interpreted as SQL.

-- Bad: string concatenation (injectable)
query("SELECT * FROM users WHERE email = '" + input + "'");
 
-- Good: bound parameter
query("SELECT * FROM users WHERE email = ?", [input]);

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters