{"detect":{"cwe":"CWE-89","exploit_examples":["POST /second-order/register username=' UNION SELECT value FROM secrets WHERE name='sqli-second-order'#","GET /second-order/profile?id=<new-user-id>"],"notes":"Single-sink taint trackers that clear the INSERT (because it's parameterized) miss this. Needs cross-sink data-flow modeling: user input flows through the DB and back into a second, unsafely-constructed query.","owasp":"A03:2021 \u2014 Injection (SQLi)","scanner_should_fire":true,"sinks":["INSERT (parameterized, safe) -> later SELECT with string concatenation against stored value"],"subtype":"second-order-stored-input","success_markers":["VULNLAB{sqli-second-order-via-stored-input}"],"tags":["second-order","stored","cross-sink"]},"lab_url":"/second-order/","sink":"stored input -> later string-concatenated SELECT","slug":"second-order","source_url":"/source/second-order","summary":"Registration is parameterized; profile view re-uses stored input unsafely.","title":"Second-order SQLi","vulnerable":true}