9.2.3: SQL Injection
SQL injection means the ability of an attacker to run some arbitrary SQL code against the app database using some SQL language syntax techniques.
The following link makes a GET request to the API part of the app:​
The end of this link has some SQL statements appended to the end of it.
' UNION SELECT email, password FROM users--
After the complete query is constructed it looks like this: (take a look at the console.log that prints this query out).
SELECT name,type from cats WHERE name='kai' UNION SELECT email, password FROM users--'
According to the source UNION "lets you execute an additional SELECT query and append the results to the original query".
You can learn more about this example query here:​
Notice that it prints out a list of all users and their passwords.

SQL Injection Solutions

The main part of the app that exposes this vulnerability is this line:​
Raw concatenation of request parameters into a SQL query should be avoided. (This applies anywhere in the query, not just if there is a WHERE clause).
const query =
"SELECT name, type from cats WHERE name='" + + "'";
Parameterized SQL queries will not have the same problems. The following syntax is preferred in all cases.
const query = 'SELECT name, type from cats WHERE name=$1';
values = [];

Further Reading