Product
Everything you need to secure code, cloud, and runtime– in one central system
Code
Dependencies
Prevent open-source risks (SCA)
Secrets
Catch exposed secrets
SAST
Secure code as its written
Container Images
Secure images easily
Malware
Prevent supply chain attacks
Infrastructure as Code
Scan IaC for misconfigurations
License Risk & SBOMs
Avoid risk, be compliant
Outdated Software
Know your EOL runtimes
Cloud
Cloud / CSPM
Cloud misconfigurations
DAST
Black-box security testing
API Scanning
Test your API’s for vulns
Virtual Machines
No agents, no overhead
Kubernetes Runtime
soon
Secure your container workloads
Cloud Inventory
Cloud sprawl, solved
Defend
Runtime Protection
In-app Firewall / WAF
Features
AI AutoFix
1-click fixes with Aikido AI
CI/CD Security
Scan before merge and deployment
IDE Integrations
Get instant feedback while coding
On-Prem Scanner
Compliance-first local scanning
Solutions
Use Cases
Compliance
Automate SOC 2, ISO & more
Vulnerability Management
All-in-1 vuln management
Secure Your Code
Advanced code security
Generate SBOMs
1 click SCA reports
ASPM
End-to-end AppSec
AI at Aikido
Let Aikido AI do the work
Block 0-Days
Block threats before impact
Industries
FinTech
HealthTech
HRTech
Legal Tech
Group Companies
Agencies
Startups
Enterprise
Mobile apps
Manufacturing
Pricing
Resources
Developer
Docs
How to use Aikido
Public API docs
Aikido developer hub
Changelog
See what shipped
Security
In-house research
Malware & CVE intelligence
Glossary
Security jargon guide
Trust Center
Safe, private, compliant
Open Source
Aikido Intel
Malware & OSS threat feed
Zen
In-app firewall protection
OpenGrep
Code analysis engine
Integrations
IDEs
CI/CD Systems
Clouds
Git Systems
Compliance
Messengers
Task Managers
More integrations
About
About
About
Meet the team
Careers
We’re hiring
Press Kit
Download brand assets
Calendar
See you around?
Open Source
Our OSS projects
Blog
The latest posts
Customer Stories
Trusted by the best teams
Contact
Login
Start for Free
No CC required
Aikido
Menu
Aikido
EN
EN
FR
JP
Login
Start for Free
No CC required
Blog
/
Sensing and blocking JavaScript SQL injection attacks

Sensing and blocking JavaScript SQL injection attacks

By
Mackenzie Jackson
Mackenzie Jackson
4 min read
Guides

Why are you here?

You’ve heard about JavaScript SQL injection attacks before, but you’re not entirely sure what they look like in the wild or if you need to worry about them in the first place. Maybe you’re trying to figure out just how bad it could be.

In short, if you’re building apps using SQL databases, like MySQL and PostgreSQL, you’re at risk—you’re not safe from attack methods plaguing developers and their databases for decades. As a developer, the onus is on you to implement guardrails that protect user data and ensure your underlying infrastructure is never intruded, explored, or commandeered.

All the new tools say they’re helping you, but they just make development more complex.

You can add an object–relational mapper (ORM) like Sequelize and TypeORM to simplify how you work with SQL databases like MySQL and PostgreSQL, but they don’t completely absolve you of risk. Web application firewalls (WAFs) help you block attacks at the networking level, but require expensive infrastructure and constant maintenance. Code-scanners can help you identify obvious flaws, but do far less for the unknown unknowns and lurking zero-day techniques.

We’ll present you with a clear picture of what SQL injection attacks look like, the risk they carry, and the development mistakes that make them possible. Then we’ll do you one better by walking you through installing a global hotfix so you’ll know, with certainty, that your apps are safe.

SQL injection attacks: examples and implications

The most basic definition of an SQL injection attack is when an app allows unvalidated and unsanitized user input to run database queries, allowing an attacker to read the SQL database, modify records, or delete to their heart’s content.

As usual, XKCD illustrates the danger of SQL better than most gloomy scenarios we could dream up:

The famous "Bobby Tables" comic, illustrating a possible JavaScript SQL injection attack.
Type caption (optional)

What does vulnerable JavaScript app look like?

Let’s start with a simple pseudocode example: a JavaScript app with an input element that allows users to search a database of cats. In the example JavaScript code below, the app responds to POST requests on the /cats path to extract the user input from the request body and connects to the database with a query to return all cats with a matching id. The app then displays the cat using the JSON response.

app.post("/cats", (request, response) => {
	const query = `SELECT * FROM cats WHERE id = ${request.body.id}`;
	connection.query(query, (err, rows) => {
    	if(err) throw err;
        response.json({
        	data: rows
		});  
	});
});


While this example might look innocuous to those untrained on SQL injection attacks, it’s egregiously vulnerable. Notably, the app does not attempt to validate or sanitize user input for potentially dangerous strings or encoding methods, and concatenates user input directly into the SQL query, which allows attackers multiple opportunities to attack using common SQL injection attack methods that have existed for decades.

Example JavaScript SQL attack payloads

SQL injection hinges on tricking your MySQL or PostgreSQL database into taking action or responding with data outside the expected scope due to how your app generates SQL queries.

The 1=1 is always true attack can return the entire table of cats with tricks like apostrophes or quotation marks, because 1=1 is indeed always TRUE:

  • The user inputs: BOBBY TABLES’ OR 1=’1
  • The database executes the SQL query: SELECT * FROM Users WHERE Cat = BOBBY TABLES OR 1=1;

Similarly, attackers can exploit a = is always true attack to return all cats, because ""="" is always TRUE:

  • The user inputs: " OR ""="
  • The database executes the SQL query: SELECT * FROM Cats WHERE CatId ="" or ""="";

Attackers will often exploit how databases handle inline comments, and by inserting comments (/* … */) into a query, they can obfuscate their intent or bypass filters.

  • The user inputs: DR/*hello world*/OP/*sneak attack*/ TABLE Cats;
  • The database executes the SQL query: DROP TABLE Cats;

Another common JavaScript SQL injection strategy is query stacking, which lets attackers start with an innocuous string, then use a semicolon (;) to terminate that statement and begin another containing their injection. Attackers often use query stacking to delete entire databases in one fell swoop with a DROP TABLE command:

  • The user inputs: Bobby; DROP TABLE Cats --
  • The app builds its SQL query: const query = "SELECT * FROM Cats WHERE CatId = " + input;
  • The database executes the SQL query: SELECT * FROM Cats WHERE CatId = BOBBY; DROP TABLE Cats;

What about NoSQL injection attacks?

NoSQL injection attacks are equally dangerous to the security of your app and user data, but only affect tech stacks using databases like MongoDB. The main difference is the style attacks, as SQL and NoSQL queries use entirely unique syntax that doesn’t translate from one category to the other.

If you’re using a SQL database, you’re not at risk of NoSQL injection attacks, and vice versa.

The basic path: manually fixing all your SQL injection vulnerabilities

At this point, you might be less interested in what all the possible injection tricks look like and more interested in how to protect the data you have in MySQL or PostgreSQL.

  • Use parameterized queries: SQL has functionality to disconnect the execution of queries and values, protecting the database from injection attacks.With the JavaScript/Node.js example from above, you can employ a placeholder in your SQL query with a question mark (?). The connection.query() method then takes the parameter in its second argument, providing the same results in an injection-proof method.
app.post("/cats", (request, response) => {  
	const query = `SELECT * FROM Cats WHERE id = ?`;  
    const value = request.body.id;  
    connection.query(query, value, (err, rows) => {    
    	if(err) throw err;    
        response.json({      
        	data: rows    
		});  
	});
});

‍

  • Validate and sanitize user input: While parameterized queries can help protect your SQL database from intrusion and attack, you can also prevent users from entering potentially dangerous strings into your application.

    One option is adding open-source libraries for sanitization and validation to your app. For example, you can use validator.js in the JavaScript/Node.js ecosystem to double-check that a user is trying to enter a real email address—not an SQL injection attack—into your sign-up form.

    You can also develop custom regex-based validators to perform similar work, but you’ll have an enormously time-consuming and complex road ahead with research and tons of manual testing. Plus, can you really interpret this example regex for email validation?

    const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;

    The same idea applies to preventing strings like …’ OR 1-’1. You can try to research and close down all these opportunities yourself, but you’d probably rather spend your time building new features.

‍

  • Deploy WAFs or agent-based security platforms: While these solutions can block SQL attacks before they even touch your app, or at least notify you in real-time as attacks happen, they come with some caveats.

    First, they are often expensive and require you to launch new infrastructure on-premises or in the cloud, which is often far more complex than what you signed up for as a developer who just wants to ship to production. Second, they require more manual maintenance to update the ruleset, distracting you from other manual interventions to SQL injection. Finally, they often add more computational load, or redirect all requests through their platform for analysis, adding latency and harming the end-user experience.

The big problem is that opportunities for SQL injection attacks are like weeds—you can cut them all down once using these tools, but you must be constantly vigilant over your entire codebase to ensure they never sprout again.

An alternative path to solving JavaScript SQL injection attacks: Aikido Firewall

Aikido Security recently released Firewall, a free and open-source security engine that autonomously projects you from SQL injection attacks—and a whole lot more.

If you’re not using Node.js, just know that we’ll start supporting other languages and frameworks in the future. You can always subscribe to our product newsletter to hear exactly when Firewall expands beyond the JavaScript world or email us at hello@aikido.dev if you’d like to pitch a specific language.

Testing an app that’s vulnerable to JavaScipt SQL injection

Let’s use a sample app that ships with the open-source repository to showcase how Aikido Firewall works. You’ll also need Docker/Docker Compose to deploy a local MySQL database.

Start by forking the firewall-node repository and cloning said fork to your local workstation.

git clone https://github.com/<YOUR-GITHUB-USERNAME>/firewall-node.gitcd firewall-node


Use Docker to deploy a local MySQL database on port 27015. This docker-compose.yml file also creates s3mock, MongoDB, and PostgreSQL containers as well, as it was created to help the Aikido team test how Firewall blocks various attacks.

docker-compose -f sample-apps/docker-compose.yml up -d


Next, launch the sample app:

node sample-apps/express-mysql2/app.js


Open http://localhost:4000 in your browser to check out the very simple cat app. In the textarea, type in a few cat names and click the Add button. To test SQL injection, you can either click the Test injection link or type the following into the textarea: Kitty'); DELETE FROM cats;-- H and click Add again. Either way, the app allows you to stack multiple queries together using some sneaky query comments, deleting the entire cats database.

How does this happen? As we warned against earlier, this app simply tacks on any user input at the end of the SQL query, which is inherently unsafe.

const query = `INSERT INTO cats(petname) VALUES ('${name}');`


The consequences might be small here, but it’s not hard to imagine how this oftentimes honest mistake can have disastrous consequences for your production app.

Blocking JavaScript SQL injection with Aikido Firewall

Now let’s look at how quickly our open-source security engine blocks JavaScript SQL injection attacks without manually fixing every database interaction in your code.

If you don’t yet have an Aikido account, go ahead and make one for free. If you already have one, log in and connect your GitHub account. During that process, grant Aikido access to read your fork of the firewall-node project.

Go to the Firewall dashboard and click Add Service. Give your service a name and once again choose your fork for the firewall-node project.

Adding Firewall to a Node.js project to protect against JavaScript SQL injection attacks.
Type caption (optional)

Aikido then instructs you on how to install and implement Aikido Firewall. Since we’re using the example app, that work is already done for you, but it’s a helpful reference for how you’d go about bringing our open-source security engine to all your Node.js apps that might be vulnerable to JavaScript SQL injection attacks.

Type caption (optional)

Click the Generate Token button to create a token to let Aikido Firewall securely pass information about blocked SQL injection attacks to the Aikido security platform. Copy the generated token, which starts with AIK_RUNTIME…, and head back to your terminal to rerun the sample app, only now with Firewall fully enabled in blocking mode:

AIKIDO_TOKEN=<YOUR-AIKIDO-TOKEN> AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node sample-apps/express-mysql2/app.js


Open localhost:4000 and once again invoke the included SQL injection attack. This time, Aikido will block you at the browser, output to your local web server’s logs, and generate a new event. Click that to see comprehensive details about the SQL injection attempt, including the payload and where your app generated the dangerous SQL query.

An example of Firewall blocking a JavaScript SQL injection attack.
Type caption (optional)

Instead of worrying about forever protecting your apps against JavaScript SQL injection attacks, both critical and not-yet-seen, Aikido Firewall offers comprehensive blocking and sophisticated observability that keeps you informed about attack sources, common payloads, and potential weak points.

What’s next?

You can install and implement Aikido Firewall in all your Node.js-based applications for free. Our open-source embedded security engine protects your infrastructure and user data against JavaScript SQL injection attacks, command injection, prototype pollution, path traversal, and more to come shortly.

We’re not saying Firewall should replace development best practices for protecting against SQL injection, like using parameterized queries or never trusting user input, but we also know from personal experience that no developer is perfect. No codebase is faultless, and honest mistakes happen all the time.

Think of Firewall as a global hotfix for SQL injection. Unlike custom-developed regex, latency-inducing WAFs, or complex security agents that cost a pretty penny, It does this one job extraordinarily well and with negligible impact—entirely for free.

If you like what you’ve seen, check out our roadmap and give our GitHub repository (https://github.com/AikidoSec/firewall-node) a star. ⭐

Written by Mackenzie Jackson

Share:

https://www.aikido.dev/blog/sensing-and-blocking-javascript-sql-injection-attacks-aikido-firewall

Table of contents:
Text Link
Share:
Use keyboard
Use left key to navigate previous on Aikido slider
Use right arrow key to navigate to the next slide
to navigate through articles
By
Charlie Eriksen

You're Invited: Delivering malware via Google Calendar invites and PUAs

Malware
May 13, 2025
Read more
By
Mackenzie Jackson

Why Updating Container Base Images is So Hard (And How to Make It Easier)

Engineering
May 12, 2025
Read more
By
Charlie Eriksen

RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)

May 6, 2025
Read more
By
Charlie Eriksen

XRP supply chain attack: Official NPM package infected with crypto stealing backdoor

Malware
April 22, 2025
Read more
By
Charlie Eriksen

The malware dating guide: Understanding the types of malware on NPM

Malware
April 10, 2025
Read more
By
Charlie Eriksen

Hide and Fail: Obfuscated Malware, Empty Payloads, and npm Shenanigans

Malware
April 3, 2025
Read more
By
Madeline Lawrence

Launching Aikido Malware – Open Source Threat Feed

News
March 31, 2025
Read more
By
Charlie Eriksen

Malware hiding in plain sight: Spying on North Korean Hackers

March 31, 2025
Read more
By
The Aikido Team

Top Cloud Security Posture Management (CSPM) Tools in 2025

Guides
March 27, 2025
Read more
By
Madeline Lawrence

Get the TL;DR: tj-actions/changed-files Supply Chain Attack

News
March 16, 2025
Read more
By
Mackenzie Jackson

A no-BS Docker security checklist for the vulnerability-minded developer

Guides
March 6, 2025
Read more
By
Floris Van den Abeele

Prisma and PostgreSQL vulnerable to NoSQL injection? A surprising security risk explained

Engineering
February 14, 2025
Read more
By
The Aikido Team

Top Dynamic Application Security Testing (DAST) Tools in 2025

Guides
February 12, 2025
Read more
By
Willem Delbare

Launching Opengrep | Why we forked Semgrep

News
January 24, 2025
Read more
By
Thomas Segura

Your Client Requires NIS2 Vulnerability Patching. Now What?

January 14, 2025
Read more
By
Mackenzie Jackson

Top 10 AI-powered SAST tools in 2025

Guides
January 10, 2025
Read more
By
Madeline Lawrence

Snyk vs Aikido Security | G2 Reviews Snyk Alternative

Guides
January 10, 2025
Read more
By
Mackenzie Jackson

Top 10 Software Composition Analysis (SCA) tools in 2025

Guides
January 9, 2025
Read more
By
Michiel Denis

3 Key Steps to Strengthen Compliance and Risk Management

December 27, 2024
Read more
By
Mackenzie Jackson

The Startup's Open-Source Guide to Application Security

Guides
December 23, 2024
Read more
By
Madeline Lawrence

Launching Aikido for Cursor AI

Engineering
December 13, 2024
Read more
By
Mackenzie Jackson

Meet Intel: Aikido’s Open Source threat feed powered by LLMs.

Engineering
December 13, 2024
Read more
By
Johan De Keulenaer

Aikido joins the AWS Partner Network

News
November 26, 2024
Read more
By
Mackenzie Jackson

Command injection in 2024 unpacked

Engineering
November 24, 2024
Read more
By
Mackenzie Jackson

Path Traversal in 2024 - The year unpacked

Engineering
November 23, 2024
Read more
By
Mackenzie Jackson

Balancing Security: When to Leverage Open-Source Tools vs. Commercial Tools

Guides
November 15, 2024
Read more
By
Mackenzie Jackson

The State of SQL Injection

Guides
November 8, 2024
Read more
By
Michiel Denis

Visma’s Security Boost with Aikido: A Conversation with Nikolai Brogaard

News
November 6, 2024
Read more
By
Michiel Denis

Security in FinTech: Q&A with Dan Kindler, co-founder & CTO of Bound

News
October 10, 2024
Read more
By
Felix Garriau

Top 7 ASPM Tools in 2025

Guides
October 1, 2024
Read more
By
Madeline Lawrence

Automate compliance with SprintoGRC x Aikido

News
September 11, 2024
Read more
By
Felix Garriau

How to Create an SBOM for Software Audits

Guides
September 9, 2024
Read more
By
Madeline Lawrence

SAST vs DAST: What you need to know.

Guides
September 2, 2024
Read more
By
Felix Garriau

Best SBOM Tools for Developers: Our 2025 Picks

Guides
August 7, 2024
Read more
By
Lieven Oosterlinck

5 Snyk Alternatives and Why They Are Better

News
August 5, 2024
Read more
By
Madeline Lawrence

Why we’re stoked to partner with Laravel

News
July 8, 2024
Read more
By
Felix Garriau

110,000 sites affected by the Polyfill supply chain attack

News
June 27, 2024
Read more
By
Felix Garriau

Cybersecurity Essentials for LegalTech Companies

News
June 25, 2024
Read more
By
Roeland Delrue

Drata Integration - How to Automate Technical Vulnerability Management

Guides
June 18, 2024
Read more
By
Joel Hans

DIY guide: ‘Build vs buy’ your OSS code scanning and app security toolkit

Guides
June 11, 2024
Read more
By
Roeland Delrue

SOC 2 certification: 5 things we learned

Guides
June 4, 2024
Read more
By
Joel Hans

Top 10 app security problems and how to protect yourself

Guides
May 28, 2024
Read more
By
Madeline Lawrence

We just raised our $17 million Series A

News
May 2, 2024
Read more
By

Best RASP Tools for Developers in 2025

April 10, 2024
Read more
By
Willem Delbare

Webhook security checklist: How to build secure webhooks

Guides
April 4, 2024
Read more
By
Willem Delbare

The Cure For Security Alert Fatigue Syndrome

Engineering
February 21, 2024
Read more
By
Roeland Delrue

NIS2: Who is affected?

Guides
January 16, 2024
Read more
By
Roeland Delrue

ISO 27001 certification: 8 things we learned

Guides
December 5, 2023
Read more
By
Roeland Delrue

Cronos Group chooses Aikido Security to strengthen security posture for its companies and customers

News
November 30, 2023
Read more
By
Bart Jonckheere

How Loctax uses Aikido Security to get rid of irrelevant security alerts & false positives

News
November 22, 2023
Read more
By
Felix Garriau

Aikido Security raises €5m to offer a seamless security solution to growing SaaS businesses

News
November 9, 2023
Read more
By
Roeland Delrue

Aikido Security achieves ISO 27001:2022 compliance

News
November 8, 2023
Read more
By
Felix Garriau

How StoryChief’s CTO uses Aikido Security to sleep better at night

News
October 24, 2023
Read more
By
Willem Delbare

What is a CVE?

Guides
October 17, 2023
Read more
By
Felix Garriau

Best Tools for End-of-Life Detection: 2025 Rankings

Guides
October 4, 2023
Read more
By
Willem Delbare

Top 3 web application security vulnerabilities in 2024

Engineering
September 27, 2023
Read more
By
Felix Garriau

New Aikido Security Features: August 2023

News
August 22, 2023
Read more
By
Felix Garriau

Aikido’s 2025 SaaS CTO Security Checklist

News
August 10, 2023
Read more
By
Felix Garriau

Aikido’s 2024 SaaS CTO Security Checklist

News
August 10, 2023
Read more
By
Felix Garriau

15 Top Cloud and Code Security Challenges Revealed by CTOs

Engineering
July 25, 2023
Read more
By
Willem Delbare

What is OWASP Top 10?

Guides
July 12, 2023
Read more
By
Willem Delbare

How to build a secure admin panel for your SaaS app

Guides
July 11, 2023
Read more
By
Roeland Delrue

How to prepare yourself for ISO 27001:2022

Guides
July 5, 2023
Read more
By
Willem Delbare

Preventing fallout from your CI/CD platform being hacked

Guides
June 19, 2023
Read more
By
Felix Garriau

How to Close Deals Faster with a Security Assessment Report

News
June 12, 2023
Read more
By
Willem Delbare

Automate Technical Vulnerability Management [SOC 2]

Guides
June 5, 2023
Read more
By
Willem Delbare

Preventing prototype pollution in your repository

Guides
June 1, 2023
Read more
By
Willem Delbare

How does a SaaS startup CTO balance development speed and security?

Guides
May 16, 2023
Read more
By
Willem Delbare

How a startup’s cloud got taken over by a simple form that sends emails

Engineering
April 10, 2023
Read more
By
Felix Garriau

Aikido Security raises €2 million pre-seed round to build a developer-first software security platform

News
January 19, 2023
Read more
By

Why Lockfiles Matter for Supply Chain Security

Read more
Top Cloud Security Posture Management (CSPM) Tools in 2025
By
The Aikido Team

Top Cloud Security Posture Management (CSPM) Tools in 2025

Guides
May 14, 2025
Top Dynamic Application Security Testing (DAST) Tools in 2025
By
The Aikido Team

Top Dynamic Application Security Testing (DAST) Tools in 2025

Guides
May 14, 2025
XRP supply chain attack: Official NPM package infected with crypto stealing backdoor
By
Charlie Eriksen

XRP supply chain attack: Official NPM package infected with crypto stealing backdoor

Malware
March 31, 2025

Get secure in 32 seconds

Connect your GitHub, GitLab, Bitbucket or Azure DevOps account to start scanning your repos for free.

Start for Free
Your data won't be shared · Read-only access
Aikido dashboard
Company
ProductPricingAboutCareersContactPartner with us
Resources
DocsPublic API DocsVulnerability DatabaseBlogIntegrationsGlossaryPress KitCustomer Reviews
Security
Trust CenterSecurity OverviewChange Cookie Preferences
Legal
Privacy PolicyCookie PolicyTerms of UseMaster Subscription AgreementData Processing Agreement
Use Cases
ComplianceSAST & DASTASPMVulnerability ManagementGenerate SBOMsWordPress SecuritySecure Your CodeAikido for Microsoft
Industries
For HealthTechFor MedTechFor FinTechFor SecurityTechFor LegalTechFor HRTechFor AgenciesFor EnterpriseFor PE & Group Companies
Compare
vs All Vendorsvs Snykvs Wizvs Mendvs Orca Securityvs Veracodevs GitHub Advanced Securityvs GitLab Ultimatevs Checkmarxvs Semgrepvs SonarQube
Connect
hello@aikido.dev
LinkedInX
Subscribe
Stay up to date with all updates
Not quite there yet.
👋🏻 Thank you! You’ve been subscribed.
Team Aikido
Not quite there yet.
© 2025 Aikido Security BV | BE0792914919
🇪🇺 Registered address: Coupure Rechts 88, 9000, Ghent, Belgium
🇪🇺 Office address: Gebroeders van Eyckstraat 2, 9000, Ghent, Belgium
🇺🇸 Office address: 95 Third St, 2nd Fl, San Francisco, CA 94103, US
SOC 2
Compliant
ISO 27001
Compliant