Potential Query Injection Vulnerability Issues
Learn more about Potential Query Injection Vulnerability issues and how to diagnose and fix them.
Potential Query Injection Vulnerability issues are raised when Sentry detects values taken directly from an incoming request being incorporated into a database query. Unsanitised interpolation of user input can lead to SQL injection and related attacks.
The detector evaluates each request in two stages:
Filter request values – Discards tokens that are:
- too short,
- SQL keywords, or
- other frequently benign values
Match against queries – Scans database queries and if both a payload key and its value appear in the same query, Sentry creates a Potential Query Injection Vulnerability issue.
Request → GET /api?username=bob
Query → SELECT * FROM users WHERE username = 'bob'
Because the value 'bob' is inserted directly from the username parameter into the query, Sentry flags the operation as potentially vulnerable. An issue indicates a risk, not that an exploit has already occurred.
Some ORMs or query‑builder libraries assemble SQL strings internally before parameterising them. We suppress many known libraries, but unrecognised ones may still trigger the detector. If you believe an issue is a false positive, leave feedback on the issue page.
- Use parameterised queries / prepared statements instead of string concatenation.
- Validate and sanitise all external input.
- Avoid raw queries when safe ORM APIs are available.
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").