Juicy Shop
SQL Injection via Product Search
Vulnerability
The product search endpoint builds its SQL query by concatenating the raw `q` request parameter directly into the statement. Because the input is never parameterised, an attacker can break out of the intended string literal and append their own SQL — reading other tables (e.g. user_profiles), bypassing filters, or dumping the schema with UNION SELECT. Any data the database user can reach is exposed.
Exploit Steps
- Open the products search bar
- Enter a normal query to observe the pattern (e.g. 'apple')
- Inject a SQL payload: enter `' UNION SELECT * FROM sqlite_master--`
- Observe the application returns unexpected rows — the injection was successful
Tools: browser devtools, curl, Burp Suite
Mitigation & Solution
Use parameterised queries (prepared statements) for all user-supplied input. Never interpolate request data into raw SQL strings. In Effect, use @effect/sql tagged template literals which parameterise automatically.
Coding Challenge
Find It
File: apps/juicy-shop/src/app/api/products/route.ts
Click the line that contains the vulnerability: