保護DataHogo
Security Encyclopedia/Database Security
highCWE-89A03:2021

Raw Queries in ORMs

Using raw SQL methods like Prisma's $queryRaw or Sequelize's query() with string interpolation bypasses the ORM's built-in SQL injection protection.

How It Works

ORMs like Prisma and Sequelize provide safe query builders that automatically parameterize inputs. However, they also expose raw query methods for complex operations. When developers use these raw methods with string interpolation or concatenation instead of parameterized placeholders, they reintroduce SQL injection vulnerabilities. An attacker can inject malicious SQL through user input that gets interpolated directly into the query string. This is especially dangerous because developers assume the ORM protects them, creating a false sense of security.

Vulnerable Code
// Prisma - vulnerable raw query
const users = await prisma.$queryRaw(
  `SELECT * FROM users WHERE email = '${email}'`
);
// Sequelize - vulnerable raw query
const results = await sequelize.query(
  `SELECT * FROM orders WHERE status = '${status}'`
);
Secure Code
// Prisma - parameterized raw query
const users = await prisma.$queryRaw(
  Prisma.sql`SELECT * FROM users WHERE email = ${email}`
);
// Sequelize - parameterized raw query
const results = await sequelize.query(
  'SELECT * FROM orders WHERE status = ?',
  { replacements: [status] }
);

Real-World Example

In 2021, a vulnerability in a popular Node.js CMS was traced to raw Sequelize queries with string interpolation. Attackers exploited it to extract admin credentials from the database, affecting over 10,000 installations before a patch was released.

How to Prevent It

  • Always use tagged template literals with Prisma.sql for $queryRaw
  • Use parameterized replacements in Sequelize raw queries
  • Prefer ORM query builders over raw queries whenever possible
  • Use ESLint rules to flag string interpolation in raw query methods

Affected Technologies

Node.jsPythonJavaPHPGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Connection String Exposed

critical

Database connection URLs containing usernames and passwords are hardcoded in source code, making credentials accessible to anyone with repo access.

CWE-798A07:2021

Database Backup Exposed

high

Database dump files (.sql, .dump, .bak) committed to the repository expose the entire database schema and data, including user credentials and sensitive records.

CWE-538A05:2021

Unsafe Deserialization

high

Deserializing untrusted data with libraries like node-serialize or Python's yaml.load allows attackers to execute arbitrary code on the server.

CWE-502A08:2021

Exploitable N+1 Queries

low

Unbounded relation expansion in ORM queries allows attackers to trigger thousands of database queries with a single API request, causing denial of service.

CWE-400API4:2023