Bolt security

SQL Injection in Bolt AI-Generated Database Queries

Your Bolt.new application contains SQL injection vulnerabilities in its database queries. The AI-generated code concatenates user input directly into SQL strings instead of using parameterized queries, allowing attackers to manipulate your database.

An attacker can exploit this by entering specially crafted input into form fields, search boxes, or URL parameters. For example, entering ' OR 1=1 -- into a login form could bypass authentication entirely, or entering '; DROP TABLE users; -- could delete your entire users table.

This vulnerability is particularly dangerous because it can go completely unnoticed during normal use. The app works perfectly with legitimate input, but an attacker with basic SQL knowledge can read, modify, or delete any data in your database.

Error Messages You Might See

Error: syntax error at or near "'" PrismaClientKnownRequestError: Raw query failed ERROR: unterminated quoted string at or near "' OR" Database query returned unexpected number of rows
Error: syntax error at or near "'"PrismaClientKnownRequestError: Raw query failedERROR: unterminated quoted string at or near "' OR"Database query returned unexpected number of rows

Common Causes

  • String concatenation in queries — Bolt generated code like `SELECT * FROM users WHERE id = '${userId}'` instead of using parameterized queries
  • Raw SQL with template literals — Using Prisma's $queryRawUnsafe or Supabase's rpc with unsanitized user input
  • Dynamic table or column names — Building queries with user-controlled table names or sort columns without whitelisting
  • Search functionality with LIKE — Search queries built by concatenating user input: WHERE name LIKE '%${searchTerm}%'
  • Filter parameters passed directly — URL query parameters inserted into WHERE clauses without sanitization

How to Fix It

  1. Use parameterized queries everywhere — Replace string concatenation with parameterized queries: prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`
  2. Use Prisma's query builder — Let Prisma handle parameterization: prisma.user.findMany({ where: { name: { contains: searchTerm } } })
  3. Whitelist dynamic identifiers — If you need dynamic column names, validate them against an allowlist: const allowed = ['name', 'date', 'price']; if (!allowed.includes(sortBy)) throw new Error('Invalid sort')
  4. Use Supabase client safely — The Supabase JS client automatically parameterizes: supabase.from('users').select().eq('id', userId)
  5. Test with SQLi payloads — Enter ' OR 1=1 -- into your form fields and search boxes to check if they return unexpected results
  6. Add input validation — Validate and sanitize all user inputs with a library like zod or validator.js before they reach any query

Real developers can help you.

Matt Butler Matt Butler Software Engineer @ AWS Pratik Pratik SWE with 15+ years of experience building and maintaining web apps and extensive BE infrastructure PawelPloszaj PawelPloszaj I'm fronted developer with 10+ years of experience with big projects. I have small backend background too legrab legrab I'll fill this later Krishna Sai Kuncha Krishna Sai Kuncha Experienced Professional Full stack Developer with 8+ years of experience across react, python, js, ts, golang and react-native. Developed inhouse websearch tooling for AI before websearch was solved : ) Simon A. Simon A. I'm a backend developer building APIs, emulators, and interactive game systems. Professionally, I've developed Java/Spring reporting solutions, managed relational and NoSQL databases, and implemented CI/CD workflows. zipking zipking I am a technologist and product builder dedicated to creating high-impact solutions at the intersection of AI and specialized markets. Currently, I am focused on PropScan (EstateGuard), an AI-driven SaaS platform tailored for the Japanese real estate industry, and exploring the potential of Archify. As an INFJ-T, I approach development with a "systems-thinking" mindset—balancing technical precision with a deep understanding of user needs. I particularly enjoy the challenge of architecting Vertical AI SaaS and optimizing Small Language Models (SLMs) to solve specific, real-world business problems. Whether I'm in a CTO-level leadership role or hands-on with the code, I thrive on building tools that turn complex data into actionable value. Jaime Orts-Caroff Jaime Orts-Caroff I'm a Senior Android developer, currently working at Aircall. I'm open to work in various fields! Costea Adrian Costea Adrian Embedded Engineer specilizing in perception systems. Latest project was a adas camera calibration system. Rudra Bhikadiya Rudra Bhikadiya I build and fix web apps across Next.js, Node.js, and DBs. Comfortable jumping into messy code, broken APIs, and mysterious bugs. If your project works in theory but not in reality, I help close that gap.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Is Prisma safe from SQL injection by default?

Prisma's query builder (findMany, create, etc.) is safe by default. However, Prisma's $queryRaw requires tagged template literals for safety. Using $queryRawUnsafe or string concatenation with $queryRaw bypasses protection.

How can I test my app for SQL injection?

Enter these payloads in text fields: ' OR 1=1 --, '; DROP TABLE test; --, and ' UNION SELECT null, null --. If the app behaves unexpectedly (returns all records, errors with SQL syntax), you have a vulnerability.

Related Bolt Issues

Missing Input Sanitization in Bolt App Forms

security

Environment Variables Exposed in Bolt Client Bundle

security

Insecure Cookie Configuration in Bolt Application

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help