[Feature Request] Add no-raw-sql-strings rule to prevent SQL injection #74
Description
Problem Statement:
SQL injection remains one of the most critical web application vulnerabilities. Developers often unknowingly create vulnerable code by concatenating user input directly into SQL queries using + operators or template literals.
Proposed Solution
Create a rule that:
- Detects SQL keywords (SELECT, INSERT, UPDATE, DELETE, etc.)
- Identifies string concatenation or template literal interpolation with variables
- Warns developers to use parameterized queries instead
Examples
-Invalid (Should trigger warning):
// String concatenation
const query = "SELECT * FROM users WHERE email = '" + userEmail + "'";
// Template literal interpolation
const query = DELETE FROM posts WHERE id = ${postId};
// Dynamic query building
const sql = "UPDATE accounts SET balance = " + newBalance;
-Valid (Should pass):
// Parameterized query
const query = "SELECT * FROM users WHERE email = ?";
db.execute(query, [userEmail]);
// Named parameters
const query = "SELECT * FROM users WHERE email = :email";
db.execute(query, { email: userEmail });
// ORM usage
const users = await User.findAll({ where: { email: userEmail } });
Configuration Options:-
{
"rules": {
"hub/no-raw-sql-strings": ["error", {
"allowHardcodedQueries": false,
"sqlKeywords": ["SELECT", "INSERT", "UPDATE", "DELETE", "DROP"],
"allowedPatterns": ["SELECT 1", "SHOW TABLES"]
}]
}
}
Category
- Type: General/Node
- Severity: Error (security-critical)
- Category: Best Practices / Security
Benefits
- Prevents SQL injection vulnerabilities at development time
- Encourages secure coding practices
- Complements existing security tools
- Easy to implement with clear fix suggestions
Additional Context
This rule would be particularly valuable for:
- Express.js applications using raw SQL
- Node.js backends with database connectivity
- Full-stack JavaScript applications
- Teams migrating from other languages to Node.js