Fix SQL Injection (Legacy & Modern) in Remix

Remix bridges the gap between client and server seamlessly, but this convenience often leads developers to treat 'request.formData()' as safe input. In a Remix 'action' or 'loader', passing raw, unescaped strings into your database layer is an invitation for full database compromise. Whether you are using legacy 'pg' drivers or modern ORMs like Prisma, failing to parameterize your queries allows attackers to break out of the SQL context and execute arbitrary commands.

The Vulnerable Pattern

export const action = async ({ request }) => {
  const formData = await request.formData();
  const userId = formData.get('id');
  // CRITICAL VULNERABILITY: String interpolation in raw SQL
  const result = await db.raw(`SELECT * FROM users WHERE id = ${userId}`);
  return { user: result.rows[0] };
};

The Secure Implementation

The vulnerability occurs because the database engine cannot distinguish between the developer's SQL commands and the user's data when they are concatenated into a single string. An attacker providing '1; DROP TABLE users' would execute both commands. The fix involves using Parameterized Queries (Prepared Statements). By using placeholders ($1, ?), the SQL driver sends the query template and the data separately. The database engine then treats the input strictly as data, never as executable code, effectively neutralizing the injection vector. In Remix, always validate and cast your 'formData' types before they reach your data access layer.

export const action = async ({ request }) => {
  const formData = await request.formData();
  const userId = formData.get('id');
// SECURE (Legacy/Raw): Use parameterized placeholders
const result = await db.query(‘SELECT * FROM users WHERE id = $1’, [userId]);
// SECURE (Modern/Prisma): Use the ORM’s built-in abstraction
// const result = await prisma.user.findUnique({ where: { id: String(userId) } });
return { user: result.rows[0] };
};