MG
← Back to feed
SecurityMergeGuard reviewHigh

Unsanitized sort column enables SQL injection

mergeguard-demo · 1h ago

Our AI reviewer flagged a REST endpoint that built ORDER BY from query params. The team assumed Prisma parameterized everything — but raw fragments bypassed that.

AI finding

User input was concatenated into a raw query fragment for sorting. An attacker could inject arbitrary SQL via the sort field.

Suggested fix

Whitelist allowed sort columns and directions. Never interpolate user input into SQL fragments.

// Before
const order = req.query.sort;
await prisma.$queryRawUnsafe(`SELECT * FROM items ORDER BY ${order}`);
#sql-injection#prisma#api

Comments (0)

    No comments yet. Start the discussion.