SQL injection static analysis

The SQL injection path pattern-only scanners can miss

Your Flask app normalizes input in helpers. Your database call sits several functions away. If a scanner only matches local string-concatenation patterns, this is the path it can miss.

The problem

Many static-analysis checks still lean heavily on local patterns. They look for request parameters flowing directly into database queries, string concatenation near SQL execution, or function names that obviously indicate danger.

Modern code often does not keep risk on one line. Real applications split logic across helpers, normalize data in utility functions, and build queries incrementally. When user input travels through three functions before it reaches the database, pattern-only checks can lose the flow.

The proof

SiteShadow built a live Flask proof that demonstrates the issue. User email enters through an HTTP request, passes through a normalization helper, moves into a query-clause builder, and finally reaches db.execute() without parameterization.

Each step can look ordinary in isolation. The problem appears when the source-to-sink path is followed across function boundaries.

Why it matters

CWE-89, SQL injection, remains a persistent production risk. SiteShadow maps this proof to SQL injection and its web-application taint coverage. The point is not to claim that every scanner misses every case. The point is simpler: checks that stop at local patterns can miss multi-hop data flow.

Technical validation

• Live proof environment with an inspectable vulnerable flow.
• Multi-hop taint tracking validated against the scoped proof case.
• CWE-89 web-application taint coverage.
• Technically reviewed evidence frame: live page/API validation and benchmark evidence stay scoped to this proof.

Test this class of finding

If your scanner only matches local SQL-concatenation patterns, multi-hop SQL injection is the class of finding to test next.