no-raw-sql-dangerous

Flag interpolated raw SQL

Severity: Error

What it does

Flags db.$queryRaw() calls that contain string interpolation. Safe parameterized forms like sql...``tagged templates are not flagged. Rawdb.$queryRaw() with string interpolation is flagged as an error; raw db.$queryRaw() without interpolation is flagged as a warning.

Why it matters

String interpolation in raw SQL is the primary vector for SQL injection attacks. Parameterized queries should always be used instead.

The rule distinguishes between:

  • String literals ("value") — safe, no interpolation.
  • Template literals without expressions (`value`) — safe.
  • Template literals with expressions (`WHERE id = ${id}`) — interpolated, flagged.
  • Other expressions (variables, function calls) — assumed interpolated, flagged.

Examples

Bad
const users = await db.$queryRaw(`SELECT * FROM users WHERE id = ${id}`); 
Good
const users = await db.$queryRaw(sql`SELECT * FROM users WHERE id = ${id}`); 

Using sql\...`` tagged templates with parameter placeholders is safe — Drizzle handles parameterization automatically.

When to disable

Disable this rule if you are certain the interpolated values are sanitized (e.g., validated enum values or trusted server-side constants). Remember that disabling this rule removes SQL injection protection.

Last updated on

On this page