#0302
A blog platform exposes a search endpoint that accepts a free-text searchTerm from the user and constructs a SQL LIKE query by concatenating the term directly into the string.
An attacker can break out of the LIKE pattern with a single quote and then execute arbitrary SQL — extracting password hashes, dumping tables, or bypassing authorization.
This is a common variant of SQL injection where the injection point is inside a LIKE clause rather than a simple equality check.
Search fields are a frequent injection entry point because developers often forget that LIKE patterns are still SQL. A UNION-based injection here can silently dump any table in the database.
buildSearchQuery so the search term is passed as a parameter.%term%) must happen in the params array, not inline in the SQL.{ sql: "SELECT id,title FROM posts WHERE title LIKE $1", params: ["%" + searchTerm + "%"] }.buildSearchQuery("foo' UNION SELECT password,null FROM users--")// FIX → { sql: '...LIKE $1', params: ["%foo' UNION SELECT...%"] }
buildSearchQuery('hello')// → { sql: '...LIKE $1', params: ['%hello%'] }
sql must use $1 as the placeholder.params array must contain exactly one element: "%" + searchTerm + "%".