# 400 Bad Request: Query parameter contains blocked SQL keywords

- **ID:** `api/rest-query-parameter-sql-injection-blocked`
- **Domain:** api
- **Category:** security_error
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

API gateway or WAF (Web Application Firewall) flagged a query parameter value as containing SQL injection patterns (e.g., SELECT, DROP, UNION) and rejected the request.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS WAF 2024 | active | — | — |
| Cloudflare WAF 2023 | active | — | — |
| Kong Gateway 3.5 | active | — | — |
| nginx ModSecurity 3.0 | active | — | — |

## Workarounds

1. **Use POST requests with JSON body instead of GET with query parameters for search/filter endpoints that accept user input that may contain SQL keywords. This moves the payload out of the URL where WAF rules are typically less aggressive.** (90% success)
   ```
   Use POST requests with JSON body instead of GET with query parameters for search/filter endpoints that accept user input that may contain SQL keywords. This moves the payload out of the URL where WAF rules are typically less aggressive.
   ```
2. **Add a WAF exception rule for the specific parameter name (e.g., 'search' or 'query') if the parameter is known to accept arbitrary text that may include SQL-like patterns as legitimate data (e.g., a code search tool).** (85% success)
   ```
   Add a WAF exception rule for the specific parameter name (e.g., 'search' or 'query') if the parameter is known to accept arbitrary text that may include SQL-like patterns as legitimate data (e.g., a code search tool).
   ```

## Dead Ends

- **** — Modern WAFs decode URL-encoded payloads before inspection; double encoding may work temporarily but is often patched quickly and violates API standards. (85% fail)
- **** — This removes critical security protection, making the API vulnerable to actual SQL injection attacks; not recommended for production. (95% fail)