The following code adds a subquery to the values array that is used in an INSERT statement to the database. It’s being used in a API utility class where the values from the request are passed as parameters.

The problem is that the vulnerability scan is detecting a SQL injection problem, which is right. Separating the subquery execution, I can solve the vulnerability, but it can cause performance issues because of multiple database access.

Is it possible to change this code to make it safe from SQL injection, but not execute the subquery separately (keep the subquery)?

try {
  const formattedValues = request.values.map((element) => {
    const value0 = mysql.escape(element[0]);
    const value_table = mysql.escape(`TABLE_${value0}`);
    const value1 = mysql.escape(element[1]);
    const value2 = mysql.escape(element[2]);
    let sqlSelect = mysql.format(
      "(SELECT VALUE5 FROM ?? WHERE value1 = ? AND value2 = ?)",
      [value_table, value1, value2]
    );
    element.splice(4, 0, sqlSelect);
    return element;
  });

  const sql = `INSERT INTO TEST_TABLE
  (value0, value1, value2, value3, value4, value5, value6, value7, value8)
  VALUES ?;`;

  const response = await db.query(sql, [formattedValues]);
  return response;
} catch (e) {
  return e;
}