From 9cf805e6f790a34c14ac4da053385a11ddc54ba3 Mon Sep 17 00:00:00 2001
From: bitterpanda <bitterpanda@proton.me>
Date: Mon, 1 Jun 2026 14:22:05 +0200
Subject: [PATCH] Trim user input before sending to detectSQLInjection

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 vulnerabilities/sqlinjection/detect_sql_injection.go      | 2 +-
 vulnerabilities/sqlinjection/detect_sql_injection_test.go | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/vulnerabilities/sqlinjection/detect_sql_injection.go b/vulnerabilities/sqlinjection/detect_sql_injection.go
index fba6c1e7..65ab91b2 100644
--- a/vulnerabilities/sqlinjection/detect_sql_injection.go
+++ b/vulnerabilities/sqlinjection/detect_sql_injection.go
@@ -17,7 +17,7 @@ const (
 func detectSQLInjection(query string, userInput string, dialect int) int {
 	// Lowercase versions of query and user input
 	queryLowercase := strings.ToLower(query)
-	userInputLowercase := strings.ToLower(userInput)
+	userInputLowercase := strings.TrimSpace(strings.ToLower(userInput))
 
 	if shouldReturnEarly(queryLowercase, userInputLowercase) {
 		return sqlInjectionSafe
diff --git a/vulnerabilities/sqlinjection/detect_sql_injection_test.go b/vulnerabilities/sqlinjection/detect_sql_injection_test.go
index 5f83d0db..3801342b 100644
--- a/vulnerabilities/sqlinjection/detect_sql_injection_test.go
+++ b/vulnerabilities/sqlinjection/detect_sql_injection_test.go
@@ -125,6 +125,12 @@ func TestIsSQLInjection(t *testing.T) {
 				   first_name,
 				   last_name
 			FROM users WHERE email_lowercase = '' or 1=1 -- a',`, "' OR 1=1 -- a"},
+
+		// it detects injection when user input has trailing whitespace (trimmed by DB driver)
+		{
+			"INSERT INTO pets (name, owner) VALUES ('x', 'dummy'), ('injected', 'hacker'); --', 'owner')",
+			"x', 'dummy'), ('injected', 'hacker'); --    ",
+		},
 	}
 
 	for _, tt := range tests {