Heimdall Scan logo, AI security scanner for vibe coders
Heimdall ScanOpen Beta
CriticalAPI Hardening

SQL injection from string-built database queries

SQL injection happens when a database query is built by inserting user input directly into a string of SQL text, instead of passing it as a separate parameter. A crafted input can change what the query actually does.

#What goes wrong

Most apps built with an ORM like Prisma or Drizzle are safe by default, but raw query escape hatches, like a template-string query passed straight to a Postgres client, are sometimes used for a query the ORM can't express cleanly, and user input gets interpolated straight into the string.

#Why it matters

A successful SQL injection can let an attacker read every row in every table, including other users' data and password hashes, or delete the whole database outright. It remains one of the most damaging classes of bugs because a single vulnerable query can expose everything.

#How Heimdall checks for this

Heimdall looks for raw SQL execution and checks whether user-controlled values are interpolated directly into the query string rather than passed as bound parameters.

#How to fix it

Use your ORM's parameterized query methods instead of raw string interpolation. If a raw query is unavoidable, use the tagged-template form your database library provides, like Prisma's $queryRaw with a template literal instead of $queryRawUnsafe, so values are automatically parameterized rather than concatenated.

Frequently asked questions

Am I safe if I only use Prisma's normal query methods?

Does this apply to NoSQL databases like MongoDB?

How do I know if my query is parameterized?

Run this check on your own repo

Heimdall scans your GitHub repo for this and 29 other issues in under a minute.