Fix SQL Injection (Legacy & Modern) in ElysiaJS
ElysiaJS is built for speed on Bun, but raw performance doesn't prevent SQL Injection (SQLi) if you're writing garbage queries. SQLi occurs when untrusted user input is treated as code by the database engine. In the Elysia ecosystem, this typically happens when developers abuse JavaScript template literals to build raw queries. To secure your stack, you must move from string concatenation to parameterized queries or type-safe ORMs that handle sanitization at the driver level.
The Vulnerable Pattern
import { Elysia } from 'elysia'; import { Database } from 'bun:sqlite';const db = new Database(‘prod.db’);
new Elysia() .get(‘/user/:name’, ({ params: { name } }) => { // VULNERABLE: Direct string interpolation allows an attacker to inject SQL commands // Payload example: /user/admin’ — const query =SELECT * FROM users WHERE username = '${name}'; return db.query(query).all(); }) .listen(3000);
The Secure Implementation
The vulnerable example uses a template literal to inject the 'name' variable directly into the SQL string. An attacker can break the string context (e.g., using a single quote) and append malicious commands like 'DROP TABLE users'. The secure implementation utilizes 'Prepared Statements'. By using the '?1' placeholder, the SQL logic is pre-compiled by the database engine, and the user input is bound to the statement later. This ensures the database treats the input as a literal string value regardless of its content. For modern Elysia apps, using Drizzle ORM is recommended as its 'sql' tagged templates automatically parameterize inputs, providing a balance of 'hacker-style' raw SQL control with modern security defaults.
import { Elysia, t } from 'elysia'; import { Database } from 'bun:sqlite';const db = new Database(‘prod.db’);
new Elysia() .get(‘/user/:name’, ({ params: { name } }) => { // SECURE: Using parameterized queries (Prepared Statements) // The ’?’ placeholder ensures input is treated strictly as data, not executable code. const stmt = db.prepare(‘SELECT * FROM users WHERE username = ?1’); return stmt.all(name); }, { params: t.Object({ name: t.String() }) }) .listen(3000);
Your ElysiaJS API
might be exposed to SQL Injection (Legacy & Modern)
74% of ElysiaJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.