Skill

sqli

Detects SQL injection where user input reaches query construction via string concatenation, template literals, or ORM raw methods in JS/TS, Python, Go, Ruby, PHP. For auditing database apps.

Javascript

Typescript

Python

security

database

npx claudepluginhub byamb4/find-cve-agent

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Audit database-backed applications, ORM wrappers, query builders, and any code that constructs SQL queries from user input.

Supporting Assets

references/false-positive-indicators.mdreferences/poc-skeleton.mdreferences/sinks.md

SKILL.md

Similar Skills

detecting-sql-injection-vulnerabilities

1.9k

Detects SQL injection vulnerabilities by tracing user inputs through code to database queries, flagging unsafe patterns like concatenation and unparameterized ORMs. Scans frameworks including Django, Rails, Express, Go.

8 files7 tools

sql-injection-detector

check-sql-injection

Analyzes PHP code for SQL injection vulnerabilities including query concatenation, variable interpolation, dynamic identifiers, ORM misuse (Doctrine, Eloquent/Laravel), raw queries, and LIKE/IN issues.

acc

sql-injection-detector

2.0k

Detects SQL injection vulnerabilities and provides step-by-step guidance, best practices, code generation, and validation for input sanitization and secure coding.

4 tools

jeremylongshore-claude-code-plugins-plus-skills

Stats

Stars18

Forks2

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SQL Injection Detection

When to Use

Audit database-backed applications, ORM wrappers, query builders, and any code that constructs SQL queries from user input.

Process

Step 1: Find SQL Query Construction

# JavaScript
grep -rn "query(\|execute(\|\.raw(\|\.rawQuery(" .
grep -rn "knex\.raw\|sequelize\.query\|prisma\.\$queryRaw" .

# Python
grep -rn "cursor\.execute\|execute(\|executemany(" .
grep -rn "\.raw(\|RawSQL\|text(" .
grep -rn "f\".*SELECT\|f\".*INSERT\|f\".*UPDATE\|f\".*DELETE" .

# Go
grep -rn "db\.Query\|db\.Exec\|db\.QueryRow\|tx\.Query" .
grep -rn "fmt\.Sprintf.*SELECT\|fmt\.Sprintf.*INSERT" .

# Ruby
grep -rn "find_by_sql\|execute\|select_all\|where.*#\{" .

# PHP
grep -rn "query(\|prepare(\|exec(\|mysql_query\|mysqli_query" .

Step 2: Check for String Concatenation/Interpolation

# Template literals in SQL
grep -rn "query.*\`.*\$\{" . --include="*.js" --include="*.ts"

# String concatenation in SQL
grep -rn "SELECT.*\+\|INSERT.*\+\|UPDATE.*\+\|DELETE.*\+" .

# Python f-strings in SQL
grep -rn 'f".*SELECT\|f".*INSERT\|f".*UPDATE\|f".*DELETE' .

# Format strings in SQL
grep -rn "\.format(.*SELECT\|\.format(.*INSERT" .

Step 3: Check for Parameterized Queries

Parameterized queries are SAFE:

// SAFE: parameterized
db.query('SELECT * FROM users WHERE id = ?', [userId]);

// UNSAFE: string concatenation
db.query('SELECT * FROM users WHERE id = ' + userId);

Step 4: Check ORM Raw Methods

ORMs are generally safe, but .raw() / .query() methods often bypass protections:

// SAFE: ORM query builder
User.findOne({ where: { id: userId } });

// UNSAFE: raw query with interpolation
sequelize.query(`SELECT * FROM users WHERE id = ${userId}`);

Step 5: Check Non-Parameterizable Locations

Some SQL elements CANNOT be parameterized:

ORDER BY column names
Table names
Column names in SELECT
LIMIT/OFFSET (in some databases)

If user input reaches these, it is SQLi even with prepared statements.

CVSS Guidance

Data exfiltration (UNION/blind): HIGH 8.1-8.8
Data modification: HIGH 8.1
Unauthenticated with admin data access: CRITICAL 9.8
Authenticated: HIGH 8.8
ORDER BY injection (limited): MEDIUM 5.3

References

Sinks -- SQL query sinks by language
False Positive Indicators
PoC Skeleton