SQL injection
SQL injection via string concatenation or template literals in queries. AI tools generate this pattern constantly because the syntax is shorter than the safe version.
What this rule detects
VC006 finds SQL queries built by interpolating values directly into the query string — template literals (`SELECT * FROM users WHERE id = ${id}`), string concatenation, or `query` functions called with f-string-style construction. The rule flags both the obvious cases (raw user input) and the subtle ones (values that came from user input several function calls earlier).
Vulnerable vs. safe code
// Template literal — looks innocent, is SQL injection.
app.get("/users/:id", async (req, res) => {
const result = await db.query(`
SELECT * FROM users WHERE id = ${req.params.id}
`);
res.json(result.rows);
});
// Attack: GET /users/1; DROP TABLE users;--// Parameterized query — value is bound separately from the SQL string.
app.get("/users/:id", async (req, res) => {
const result = await db.query(
"SELECT * FROM users WHERE id = $1",
[req.params.id]
);
res.json(result.rows);
});Most modern ORMs (Prisma, Drizzle, Kysely) make injection nearly impossible because they build queries from JS values rather than strings. If you're using one of those and still seeing VC006 fire, you're probably in a `$queryRaw` or equivalent escape hatch — that's the path to audit.
About A03:2021 — Injection
Injection happens when user input is concatenated directly into SQL queries, shell commands, HTML, or any other interpreter. SQL injection has been #1 or #2 on the OWASP Top 10 since the list was created in 2003 — it's the oldest class of web bug that still ships every week.
Impact: SQL injection: attacker reads or modifies your entire database. Command injection: attacker runs arbitrary shell commands on your server. XSS: attacker steals session cookies and impersonates other users. Each one is typically a critical-severity finding.
How to fix it: Always use parameterized queries (prepared statements) for SQL. Never use template literals or string concatenation with user input in queries. For HTML output, use your framework's auto-escaping. For shell commands, use APIs that take an array of arguments instead of `exec()` with a string.
Common patterns in this category:
- SQL queries built with string concatenation or template literals
- `child_process.exec()` called with user input concatenated into the command
- `dangerouslySetInnerHTML` with user-controlled data
- `eval()` or `Function()` called with user input
- `innerHTML` assignment without sanitization
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC006 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .