Use parameterized queries to prevent injection

Use parameterized queries to prevent injection | BeforeMerge Rules | BeforeMerge

Why this matters

When user input is concatenated into a query string, an attacker can break out of the intended data context and run arbitrary database commands. Parameterized queries send data separately from the query plan, so input can never be interpreted as SQL.

// Bad: string concatenation
db.query("SELECT * FROM users WHERE email = '" + email + "'");
 
// Good: bound parameters
db.query("SELECT * FROM users WHERE email = $1", [email]);

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters