Conversation
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| return (req: Request, res: Response, next: NextFunction) => { | ||
| let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? '' | ||
| criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) | ||
| models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized input in SQL query'.
Severity: Critical
Description
Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.
Company Remediation Guideline
Please see http://www.espn.com for more information on we would prefer to have you mitigate this violation.
🎥 Learning materials (by Secure Code Warrior)
Tell us what how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_sast_false_positive | Mark as false positive — applies to this violation only |
| #cycode_ai_remediation | Request remediation guidance using Cycode AI |
| #cycode_sast_ignore_here | Ignore this violation — applies to this violation only |
1 participant
No description provided.