Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/raw-sql-injection-risk

Building a SQL query by string concatenation or an unsafe raw helper lets an attacker inject SQL and read or modify your database.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: production script source files (.js/.ts/.jsx/.tsx/.py/.php); test/scripts/docs/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when a query is built outside parameter binding: $queryRawUnsafe(/$executeRawUnsafe(, Prisma.raw(/sql.raw|unsafe( with a non-literal argument, a conn.query("SELECT … ${…}") interpolation, .query("…" + …) concatenation, .where|orderBy|havingRaw( non-literal, or Python/PHP equivalents (cursor.execute(f"…"), engine/session.execute(...), $x->query("…".$…), mysqli_query(...)). It skips parameterized usage — a pure string literal, or an interpolation wrapped in sanitize/escape/quote. FALSE POSITIVE: the interpolated segment is a hard-coded allowlisted identifier rather than user data.

Fix prompt

Use this once validation confirms the diagnostic is real.

Move dynamic values into driver parameters or ORM bind variables: $queryRaw tagged templates (not the *Unsafe helpers), db.query("… WHERE id = $1", [id]), or the ORM builder. Validate any unavoidable dynamic identifier (table or column name) against a fixed allowlist. In Python use parameterized cursor.execute(sql, params); in PHP use prepared statements with bound parameters.