Request superglobal concatenated into a SQL query call
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A $_GET/$_POST/$_REQUEST/$_COOKIE value is concatenated with the . operator directly into the string passed to a query()/exec()/prepare() call, instead of being bound as a parameter. This is classic SQL injection: the request controls part of the query text itself.
Why it matters
Concatenating a request value straight into a SQL string means the request can inject its own SQL: closing a clause early, adding a UNION SELECT, or dropping a WHERE condition entirely. This is one of the most exploited bug classes in PHP applications and typically gives an attacker read or write access to the whole database.
How to fix it
Switch to parameterized queries: mysqli prepared statements with bind_param(), or PDO with prepare()/execute() and named or positional placeholders. The request value becomes a bound parameter, never text spliced into the query, so the driver keeps it as data regardless of its content.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo