review-sqli-and-query-safety

star 1

Check whether database queries can be manipulated in unsafe ways or built from untrusted input. Use this whenever the user wants to review database access safety, query building, search or filter logic, sorting, reports, or whether backend code may hide SQL injection risk, especially with SQL, ORMs, raw queries, or database-backed APIs.

Qiuner By Qiuner schedule Updated 6/8/2026
play_arrow Run Skill in Manus View GitHub

name: review-sqli-and-query-safety description: Check whether database queries can be manipulated in unsafe ways or built from untrusted input. Use this whenever the user wants to review database access safety, query building, search or filter logic, sorting, reports, or whether backend code may hide SQL injection risk, especially with SQL, ORMs, raw queries, or database-backed APIs.

Review SQLi And Query Safety

What to inspect

  • raw SQL fragments
  • query string concatenation
  • dynamic where, order by, group by, or filter fields
  • direct execution APIs
  • report builders and search endpoints
  • pagination, sorting, and column selection inputs

Questions to answer

  1. Are values parameterized by the ORM or driver?
  2. Are dynamic column names, table names, or sort keys allowlisted?
  3. Is any raw SQL using untrusted input?
  4. Can query behavior be changed through request parameters or headers?

Evidence format

For each result, record:

  • query path
  • user-controlled input
  • parameterization status
  • allowlist status for dynamic identifiers
  • confirmed vulnerability, design risk, or non-finding

Common non-findings

  • ORM calls that bind values safely
  • fixed raw SQL with no user-controlled interpolation
  • dynamic filters that map through a strict allowlist
Install via CLI
npx skills add https://github.com/Qiuner/web-security-skills --skill review-sqli-and-query-safety
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
Qiuner
Qiuner Explore all skills →