diff --git a/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
index 6d6f1f404..60a68b5f6 100644
--- a/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
+++ b/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
@@ -10,6 +10,33 @@ edges
 | main.go:33:3:33:13 | RequestData [pointer, Category] | main.go:33:3:33:13 | implicit dereference [Category] : slice type |
 | main.go:33:3:33:13 | implicit dereference [Category] : slice type | main.go:33:3:33:22 | selection of Category : slice type |
 | main.go:33:3:33:22 | selection of Category : slice type | main.go:34:11:34:11 | q |
+| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | main.go:39:2:39:12 | RequestData [pointer, Category] |
+| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | main.go:42:3:42:13 | RequestData [pointer, Category] |
+| main.go:39:2:39:12 | RequestData [pointer, Category] | main.go:39:2:39:12 | implicit dereference [Category] : slice type |
+| main.go:39:2:39:12 | implicit dereference [Category] : slice type | main.go:38:2:38:12 | definition of RequestData [pointer, Category] |
+| main.go:39:25:39:31 | selection of URL : pointer type | main.go:39:25:39:51 | index expression : slice type |
+| main.go:39:25:39:51 | index expression : slice type | main.go:39:2:39:12 | implicit dereference [Category] : slice type |
+| main.go:42:3:42:13 | RequestData [pointer, Category] | main.go:42:3:42:13 | implicit dereference [Category] : slice type |
+| main.go:42:3:42:13 | implicit dereference [Category] : slice type | main.go:42:3:42:22 | selection of Category : slice type |
+| main.go:42:3:42:22 | selection of Category : slice type | main.go:43:11:43:11 | q |
+| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | main.go:48:4:48:14 | RequestData [pointer, Category] |
+| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | main.go:51:3:51:13 | RequestData [pointer, Category] |
+| main.go:48:3:48:14 | star expression [Category] : slice type | main.go:47:2:47:12 | definition of RequestData [pointer, Category] |
+| main.go:48:4:48:14 | RequestData [pointer, Category] | main.go:48:3:48:14 | star expression [Category] : slice type |
+| main.go:48:28:48:34 | selection of URL : pointer type | main.go:48:28:48:54 | index expression : slice type |
+| main.go:48:28:48:54 | index expression : slice type | main.go:48:3:48:14 | star expression [Category] : slice type |
+| main.go:51:3:51:13 | RequestData [pointer, Category] | main.go:51:3:51:13 | implicit dereference [Category] : slice type |
+| main.go:51:3:51:13 | implicit dereference [Category] : slice type | main.go:51:3:51:22 | selection of Category : slice type |
+| main.go:51:3:51:22 | selection of Category : slice type | main.go:52:11:52:11 | q |
+| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | main.go:57:4:57:14 | RequestData [pointer, Category] |
+| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | main.go:60:5:60:15 | RequestData [pointer, Category] |
+| main.go:57:3:57:14 | star expression [Category] : slice type | main.go:56:2:56:12 | definition of RequestData [pointer, Category] |
+| main.go:57:4:57:14 | RequestData [pointer, Category] | main.go:57:3:57:14 | star expression [Category] : slice type |
+| main.go:57:28:57:34 | selection of URL : pointer type | main.go:57:28:57:54 | index expression : slice type |
+| main.go:57:28:57:54 | index expression : slice type | main.go:57:3:57:14 | star expression [Category] : slice type |
+| main.go:60:3:60:25 | selection of Category : slice type | main.go:61:11:61:11 | q |
+| main.go:60:4:60:15 | star expression [Category] : slice type | main.go:60:3:60:25 | selection of Category : slice type |
+| main.go:60:5:60:15 | RequestData [pointer, Category] | main.go:60:4:60:15 | star expression [Category] : slice type |
 nodes
 | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
 | SqlInjection.go:12:11:12:11 | q | semmle.label | q |
@@ -27,9 +54,39 @@ nodes
 | main.go:33:3:33:13 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
 | main.go:33:3:33:22 | selection of Category : slice type | semmle.label | selection of Category : slice type |
 | main.go:34:11:34:11 | q | semmle.label | q |
+| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
+| main.go:39:2:39:12 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:39:2:39:12 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
+| main.go:39:25:39:31 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| main.go:39:25:39:51 | index expression : slice type | semmle.label | index expression : slice type |
+| main.go:42:3:42:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:42:3:42:13 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
+| main.go:42:3:42:22 | selection of Category : slice type | semmle.label | selection of Category : slice type |
+| main.go:43:11:43:11 | q | semmle.label | q |
+| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
+| main.go:48:3:48:14 | star expression [Category] : slice type | semmle.label | star expression [Category] : slice type |
+| main.go:48:4:48:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:48:28:48:34 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| main.go:48:28:48:54 | index expression : slice type | semmle.label | index expression : slice type |
+| main.go:51:3:51:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:51:3:51:13 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
+| main.go:51:3:51:22 | selection of Category : slice type | semmle.label | selection of Category : slice type |
+| main.go:52:11:52:11 | q | semmle.label | q |
+| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
+| main.go:57:3:57:14 | star expression [Category] : slice type | semmle.label | star expression [Category] : slice type |
+| main.go:57:4:57:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:57:28:57:34 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| main.go:57:28:57:54 | index expression : slice type | semmle.label | index expression : slice type |
+| main.go:60:3:60:25 | selection of Category : slice type | semmle.label | selection of Category : slice type |
+| main.go:60:4:60:15 | star expression [Category] : slice type | semmle.label | star expression [Category] : slice type |
+| main.go:60:5:60:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:61:11:61:11 | q | semmle.label | q |
 #select
 | SqlInjection.go:12:11:12:11 | q | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | SqlInjection.go:12:11:12:11 | q | This query depends on $@. | SqlInjection.go:11:3:11:9 | selection of URL | a user-provided value |
 | main.go:10:11:10:28 | index expression | main.go:10:11:10:16 | selection of Form : Values | main.go:10:11:10:28 | index expression | This query depends on $@. | main.go:10:11:10:16 | selection of Form | a user-provided value |
 | main.go:14:11:14:84 | call to Sprintf | main.go:14:63:14:67 | selection of URL : pointer type | main.go:14:11:14:84 | call to Sprintf | This query depends on $@. | main.go:14:63:14:67 | selection of URL | a user-provided value |
 | main.go:15:11:15:85 | call to Sprintf | main.go:15:63:15:84 | call to Get : string | main.go:15:11:15:85 | call to Sprintf | This query depends on $@. | main.go:15:63:15:84 | call to Get | a user-provided value |
 | main.go:34:11:34:11 | q | main.go:29:13:29:19 | selection of URL : pointer type | main.go:34:11:34:11 | q | This query depends on $@. | main.go:29:13:29:19 | selection of URL | a user-provided value |
+| main.go:43:11:43:11 | q | main.go:39:25:39:31 | selection of URL : pointer type | main.go:43:11:43:11 | q | This query depends on $@. | main.go:39:25:39:31 | selection of URL | a user-provided value |
+| main.go:52:11:52:11 | q | main.go:48:28:48:34 | selection of URL : pointer type | main.go:52:11:52:11 | q | This query depends on $@. | main.go:48:28:48:34 | selection of URL | a user-provided value |
+| main.go:61:11:61:11 | q | main.go:57:28:57:34 | selection of URL : pointer type | main.go:61:11:61:11 | q | This query depends on $@. | main.go:57:28:57:34 | selection of URL | a user-provided value |
diff --git a/ql/test/query-tests/Security/CWE-089/main.go b/ql/test/query-tests/Security/CWE-089/main.go
index a71fa59ec..b1858f7e5 100644
--- a/ql/test/query-tests/Security/CWE-089/main.go
+++ b/ql/test/query-tests/Security/CWE-089/main.go
@@ -17,7 +17,7 @@ func test2(tx *sql.Tx, r *http.Request) {
 
 func main() {}
 
-// https://github.com/github/codeql-go/issues/18
+// https://github.com/github/codeql-go/issues/18 and variants
 type RequestStruct struct {
 	Id       int64    `db:"id"`
 	Category []string `db:"category"`
@@ -33,3 +33,30 @@ func handler2(db *sql.DB, req *http.Request) {
 		RequestData.Category)
 	db.Query(q)
 }
+
+func handler3(db *sql.DB, req *http.Request) {
+	RequestData := &RequestStruct{}
+	RequestData.Category = req.URL.Query()["category"]
+
+	q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
+		RequestData.Category)
+	db.Query(q)
+}
+
+func handler4(db *sql.DB, req *http.Request) {
+	RequestData := &RequestStruct{}
+	(*RequestData).Category = req.URL.Query()["category"]
+
+	q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
+		RequestData.Category)
+	db.Query(q)
+}
+
+func handler5(db *sql.DB, req *http.Request) {
+	RequestData := &RequestStruct{}
+	(*RequestData).Category = req.URL.Query()["category"]
+
+	q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
+		(*RequestData).Category)
+	db.Query(q)
+}