Critical SeverityA03:2021 - InjectionCWE-89

How to Fix SQL Injection in Express

Learn how to prevent and fix SQL Injection vulnerabilities in Express applications. Step-by-step guide with code examples, security checklists, and best practices.

What Is SQL Injection?

SQL Injection is a code injection technique that exploits security vulnerabilities in an application's database layer. It occurs when user-supplied data is included in SQL queries without proper sanitization, allowing an attacker to manipulate the query's logic. An attacker can craft input that changes the intended SQL command, gaining unauthorized access to data.

The attack works by inserting (or "injecting") SQL fragments into input fields, URL parameters, cookies, or HTTP headers that are then incorporated into database queries. For example, a login form vulnerable to SQL injection might allow an attacker to bypass authentication by entering `' OR '1'='1` as a password. More sophisticated attacks can use UNION-based injection to extract data from other tables, blind injection to infer data one bit at a time, or stacked queries to execute arbitrary SQL commands.

While ORMs and query builders have reduced the prevalence of SQL injection, it remains common in applications that use raw queries, dynamic query construction, or improperly configured ORMs. Stored procedures are not immune either if they construct dynamic SQL internally.

Why It Matters

SQL Injection consistently ranks among the most dangerous web vulnerabilities because of its severe impact. A successful attack can lead to complete database compromise, allowing attackers to read all data including credentials, personal information, and financial records. Attackers can modify or delete data, causing data integrity issues and potential business disruption. In some database configurations, SQL injection can be escalated to operating system command execution, leading to full server compromise. The 2017 Equifax breach, which exposed 147 million records, was caused by a related injection vulnerability. For applications subject to regulations like GDPR or HIPAA, a SQL injection breach can result in millions of dollars in fines.

How to Fix It in Express

The most effective defense against SQL injection is using parameterized queries (also called prepared statements) for all database interactions. Never concatenate user input directly into SQL strings. Use your ORM's built-in query methods rather than raw SQL wherever possible. If raw queries are necessary, always use parameterized placeholders. Implement input validation using strict allowlists for expected data types and formats. Apply the principle of least privilege to database accounts -- the application should connect with minimal necessary permissions. Use a Web Application Firewall (WAF) as an additional layer. Regularly audit your codebase for raw query construction patterns.

Express-Specific Advice

Use `helmet` middleware for setting security headers (CSP, HSTS, X-Frame-Options, etc.) with sensible defaults.
Use `express-rate-limit` for rate limiting. Apply stricter limits to authentication endpoints and API routes.
Always use parameterized queries with your database driver. Never concatenate user input into SQL strings.
Validate request bodies using `express-validator`, Zod, or Joi middleware. Reject requests that do not match expected schemas.

Code Examples

Vulnerable: String interpolation in SQL

app.get("/users/:id", async (req, res) => {
  // DANGEROUS -- SQL injection
  const result = await pool.query(
    `SELECT * FROM users WHERE id = '${req.params.id}'`
  );
  res.json(result.rows);
});

Secure: Parameterized queries with pg

app.get("/users/:id", async (req, res) => {
  // Safe -- parameterized query
  const result = await pool.query(
    "SELECT * FROM users WHERE id = $1",
    [req.params.id]
  );
  res.json(result.rows);
});

Express Security Checklist for SQL Injection

Replace all raw SQL string concatenation with parameterized queries or ORM methods

Audit every database query in your Express codebase for user input handling

Use an ORM or query builder as the default for all database operations

Apply the principle of least privilege to database connection credentials

Implement input validation (type, length, format) before data reaches the database layer

Enable database query logging in development to review generated SQL

Run SafeVibe's SQL injection scan on your Express application

Express Security Best Practices

Use `helmet` middleware for setting security headers (CSP, HSTS, X-Frame-Options, etc.) with sensible defaults.

Use `express-rate-limit` for rate limiting. Apply stricter limits to authentication endpoints and API routes.

Always use parameterized queries with your database driver. Never concatenate user input into SQL strings.

Validate request bodies using `express-validator`, Zod, or Joi middleware. Reject requests that do not match expected schemas.

Use `cors` middleware with explicit origin allowlists. Never use `cors({ origin: '*' })` in production.

Disable the `X-Powered-By` header with `app.disable('x-powered-by')` or by using helmet.

Use `multer` or `busboy` for file uploads with strict file type and size limits. Store files outside the web root.

Implement proper error handling middleware that does not leak stack traces or internal details in production.

Scan Your Express App with SafeVibe

Stop guessing if your Express app is vulnerable to SQL Injection. Run an automated penetration test in minutes and get actionable results.

Start Free Scan

Related Guides

SQL Injection in Other Frameworks

FastAPI Django Ruby on Rails Laravel

View all SQL Injection guides

More Express Security Guides

Cross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Insecure Direct Object References (IDOR)Broken Authentication

View all Express guides