Backend safety

no-sql-injection

Flag SQL queries built by `+` concatenation or template-literal interpolation.

Detects SQL-shaped strings (anchored at the start so prose containing the word "select" mid-sentence doesn't match) built by concatenating or interpolating a dynamic value. Safe carve-outs for `sql`/`postgres` tagged templates and parameterized `?` / `$1` placeholder calls.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);

Good:

db.query("SELECT * FROM users WHERE id = ?", [req.params.id]);

Related rules

• no-shell-injectionFlag `child_process.exec` / `spawn({ shell: true })` with a dynamic command string.
• no-unsafe-mass-assignmentFlag `Object.assign(user, req.body)` and `{ ...model, ...req.body }` shapes.
• no-evalFlag `eval()`, `new Function(...)`, `vm.runInNewContext`, and string-arg timers.

Use it

Enable no-sql-injection in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-sql-injection': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules