diff --git a/docs/product/issues/issue-details/query-injection-issues/index.mdx b/docs/product/issues/issue-details/query-injection-issues/index.mdx new file mode 100644 index 00000000000000..edc4a98f03a5ee --- /dev/null +++ b/docs/product/issues/issue-details/query-injection-issues/index.mdx @@ -0,0 +1,38 @@ +--- +title: "Potential Query Injection Vulnerability Issues" +sidebar_order: 50 +description: "Learn more about Potential Query Injection Vulnerability issues and how to diagnose and fix them." +--- + +Potential Query Injection Vulnerability issues are raised when Sentry detects values taken directly from an incoming request being incorporated into a database query. Unsanitized interpolation of user input can lead to [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) and related attacks. + +## Detection Criteria + +The detector evaluates each request in **two stages**: + +1. **Filter request values** – Discards tokens that are: + + - too short, + - SQL keywords, or + - other frequently benign values + +2. **Match against queries** – Scans database queries and if **both** a payload key _and_ its value appear in the same query, Sentry creates a Potential Query Injection Vulnerability issue. + +### Example + +``` +Request → GET /api?username=bob +Query → SELECT * FROM users WHERE username = 'bob' +``` + +Because the value `'bob'` is inserted directly from the `username` parameter into the query, Sentry flags the operation as potentially vulnerable. **An issue indicates a security _risk_, not a confirmation that an exploit has already occurred.** + +### False Positives + +Some ORMs or query‑builder libraries assemble SQL strings internally before parameterizing them. We automatically suppress many known libraries, but unrecognized ones may still trigger the detector. If you believe an issue is a false positive, leave feedback on the issue page. + +## Remediation + +- Use **parameterised queries / prepared statements** instead of string concatenation. +- **Validate and sanitise** all external input. +- Avoid **raw queries** when safe ORM APIs are available.