Developer Edition dont find sql query vulnerables


we’re using SonarQube 8.7 in our project and wondering why the scan dont pick up sql injections.
Rule: PHP Sonar way - Database queries should not be vulnerable to injection attacks

Just a worst case example:

Lets think we have a class db_access which handles the querys and then we have a:

$result = db_access->query_first("SELECT * FROM bla_table WHERE user_id="._GET[‘id’].");

Why is the rule not able to find it?


Hello @LarsW ,

This may depend on the context and the DB you’re using. Could you send a longer code snippet as a full standalone reproducer ? (Open DB and run SQL Query using _GET[] input).

Thanks, Olivier

Hello Olivier,

thank you for your fast answer. We’re using MariaSQL and here is a longer code snippet:

class class_db_access extends \mysqli{

  public function query_first( $query_string ) {
    if( $result = mysqli_query( $query_string ) ){
      $row = $this->fetch_array( $result );
      return $row;
      return false;


$db_access=new class_db_access();
$arr=$db_access->query_first("SELECT * FROM bla_table WHERE user_id=".$_GET['id']);


Hello Lars,

thank you for the code sample! I think

if( $result = mysqli_query( $query_string ) ){

should actually be

if( $result = $this->query( $query_string ) ){

right? Then an issue is detected for me.