Skip to content

ap0h/sql-injection-detector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
README.md
README.md
Β 
Β 
example-usage.js
example-usage.js
Β 
Β 
index.d.ts
index.d.ts
Β 
Β 
index.js
index.js
Β 
Β 
package.json
package.json
Β 
Β 
test.js
test.js
Β 
Β 

Repository files navigation

@ap0h/sqli-detector

A safe, pure JavaScript SQL injection detection library with zero dependencies.

npm version License: MIT

Features

  • πŸ”’ Zero dependencies - No supply chain risks
  • πŸš€ Pure JavaScript - No Python, no external processes
  • 🎯 High accuracy - Detects 20+ attack patterns
  • πŸ“Š Risk scoring - Threat levels from SAFE to CRITICAL
  • 🐘 PostgreSQL support - Detects pg_sleep, pg_read_file, etc.
  • πŸ”§ TypeScript ready - Full type definitions included

Installation

# From GitHub Packages
npm install @ap0h/sqli-detector --registry=https://npm.pkg.github.com

Or add to your .npmrc:

@ap0h:registry=https://npm.pkg.github.com

Then:

npm install @ap0h/sqli-detector

Quick Start

const { detectSql, sanitize } = require('@ap0h/sqli-detector');

// Detect SQL injection
const result = detectSql("' OR '1'='1");
console.log(result.isSqlInjection);  // true
console.log(result.threatLevel);      // 'HIGH'

Real-World Example: Protecting API Query Parameters

const { detectSql } = require('@ap0h/sqli-detector');
const express = require('express');
const app = express();

// Middleware to protect against SQL injection
function sqlInjectionGuard(req, res, next) {
  for (const [key, value] of Object.entries(req.query)) {
    if (typeof value !== 'string') continue;
    
    const result = detectSql(value);
    
    if (result.isSqlInjection) {
      console.log(`🚨 SQL Injection blocked!`);
      console.log(`   Parameter: ${key}`);
      console.log(`   Value: ${value}`);
      console.log(`   Threat: ${result.threatLevel}`);
      console.log(`   Score: ${result.score}`);
      
      return res.status(400).json({ error: 'Invalid input' });
    }
  }
  next();
}

app.use(sqlInjectionGuard);

// Your protected endpoint
app.get('/api/search', (req, res) => {
  const search = req.query.q;
  // Safe to use with parameterized query
  res.json({ results: [] });
});

app.listen(3000);

What happens with an attack:

GET /api/search?q='1'='1' OR pg_sleep(5)--

Console output:
🚨 SQL Injection blocked!
   Parameter: q
   Value: '1'='1' OR pg_sleep(5)--
   Threat: CRITICAL
   Score: 25

Response: 400 Bad Request

Safe inputs pass through:

GET /api/search?q=bitcoin          β†’ βœ… Allowed (score: 0)
GET /api/search?q=ethereum%20price β†’ βœ… Allowed (score: 0)
GET /api/search?q=O'Brien          β†’ βœ… Allowed (score: 0)

API Reference

detectSql(input, options?)

Main detection function.

const result = detectSql("' UNION SELECT * FROM users--");

// Result:
{
  isSqlInjection: true,
  score: 15,
  threatLevel: 'HIGH',      // 'SAFE' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL'
  tokens: ['UNION', 'COMMENT']
}

Options:

  • threshold (number, default: 5) - Score threshold for detection
  • detailed (boolean, default: false) - Include match details

explain(input)

Get detailed analysis with explanations.

const { explain } = require('@ap0h/sqli-detector');

const analysis = explain("' OR '1'='1");

// Returns:
{
  isSqlInjection: true,
  score: 12,
  threatLevel: 'HIGH',
  findings: [
    {
      pattern: 'BOOLEAN',
      explanation: 'Boolean-based injection pattern',
      matches: ["'1'='1"]
    },
    {
      pattern: 'TAUTOLOGY', 
      explanation: 'Tautology attack (always-true condition)',
      matches: ["' OR '1'='1"]
    }
  ],
  recommendation: 'BLOCK this input - high likelihood of SQL injection attack'
}

sanitize(input)

Basic string escaping. Always prefer parameterized queries!

const { sanitize } = require('@ap0h/sqli-detector');

sanitize("O'Brien");     // "O''Brien"
sanitize("test\\path");  // "test\\\\path"

detectSqlAsync(input)

Promise-based detection for async workflows.

const { detectSqlAsync } = require('@ap0h/sqli-detector');

const result = await detectSqlAsync(userInput);
if (!result.success) {
  // SQL injection detected - block request
}

Detection Coverage

Attack Type Example Threat Level
Boolean injection ' OR '1'='1 HIGH
UNION injection ' UNION SELECT * FROM users-- HIGH
DROP TABLE '; DROP TABLE users;-- CRITICAL
Time-based (MySQL) ' AND SLEEP(5)-- HIGH
Time-based (PostgreSQL) `'
Login bypass admin'-- MEDIUM
File read LOAD_FILE('/etc/passwd') CRITICAL
Schema enumeration information_schema.tables HIGH
CHAR bypass CHAR(65)+CHAR(66) MEDIUM
Comment injection admin'/* MEDIUM

Threat Levels

Level Score Action
SAFE 0 Allow
LOW 1-4 Allow (monitor)
MEDIUM 5-9 Block or review
HIGH 10-19 Block
CRITICAL 20+ Block + alert

Important: Defense in Depth

This detector is a first line of defense. Always combine with:

// βœ… ALWAYS use parameterized queries
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [userInput]  // Parameterized - safe even if injection slips through
);

// ❌ NEVER concatenate user input into SQL
const results = await db.query(
  `SELECT * FROM users WHERE name = '${userInput}'`  // DANGEROUS!
);

TypeScript

Full TypeScript support included:

import { detectSql, DetectionResult } from '@ap0h/sqli-detector';

const result: DetectionResult = detectSql(userInput);

if (result.isSqlInjection) {
  // Handle attack
}

Support

If this library helped protect your application, consider supporting development:

Solana: 25iWiaiKvUjkG1DoA9MujPiEdE6kTbKokchfE4ohNMnT

License

MIT

Contributing

Issues and PRs welcome at GitHub.

About

A safe, pure JavaScript SQL injection detection library with zero dependencies

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages