---
title: "Potential Query Injection Vulnerability Issues"
description: "Learn more about Potential Query Injection Vulnerability issues and how to diagnose and fix them."
url: https://docs.sentry.io/product/issues/issue-details/query-injection-issues/
---

# Potential Query Injection Vulnerability Issues

Potential Query Injection Vulnerability issues are raised when Sentry detects values taken directly from an incoming request being incorporated into a database query. Unsanitized interpolation of user input can lead to [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) and related attacks.

You can turn on this detector for your project in in **Project Settings > Performance**.

## [Detection Criteria](https://docs.sentry.io/product/issues/issue-details/query-injection-issues.md#detection-criteria)

The detector evaluates each request in **two stages**:

1. **Filter request values** – Discards tokens that are:

   * too short,
   * SQL keywords, or
   * other frequently benign values

2. **Match against queries** – Scans database queries and if **both** a payload key *and* its value appear in the same query, Sentry creates a Potential Query Injection Vulnerability issue.

### [Example](https://docs.sentry.io/product/issues/issue-details/query-injection-issues.md#example)

```bash
Request →  GET /api?username=bob
Query   →  SELECT * FROM users WHERE username = 'bob'
```

Because the value `'bob'` is inserted directly from the `username` parameter into the query, Sentry flags the operation as potentially vulnerable. **An issue indicates a security *risk*, not a confirmation that an exploit has already occurred.**

### [False Positives](https://docs.sentry.io/product/issues/issue-details/query-injection-issues.md#false-positives)

Some ORMs or query‑builder libraries assemble SQL strings internally before parameterizing them. We automatically suppress many known libraries, but unrecognized ones may still trigger the detector. If you believe an issue is a false positive, leave feedback on the issue page.

## [Remediation](https://docs.sentry.io/product/issues/issue-details/query-injection-issues.md#remediation)

* Use **parameterized queries / prepared statements** instead of string concatenation.
* **Validate and sanitize** all external input.
* Avoid **raw queries** when safe ORM APIs are available.