diff --git a/javascript/src/audit/CWE-089/SqlInjectionAudit.md b/javascript/src/audit/CWE-089/SqlInjectionAudit.md
new file mode 100644
index 00000000..d2d6cd74
--- /dev/null
+++ b/javascript/src/audit/CWE-089/SqlInjectionAudit.md
@@ -0,0 +1,3 @@
+# Audit:  Usage of unsafe Database query
+
+This query detects the use of unsafe sql injection sinks. Unsafe sql sinks are functions that can lead to remote code execution if user controled input comes into the sink
diff --git a/javascript/src/audit/CWE-089/SqlInjectionAudit.ql b/javascript/src/audit/CWE-089/SqlInjectionAudit.ql
new file mode 100644
index 00000000..f6a0120d
--- /dev/null
+++ b/javascript/src/audit/CWE-089/SqlInjectionAudit.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Audit: Database query built from user-controlled sources
+ * @description A SQL Injection sink is being used in your application, this can lead to remote code execution if user controled input comes into the sink
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 3.0
+ * @id githubsecuritylab/audit/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ *       external/cwe/cwe-090
+ *       external/cwe/cwe-943
+ *       audit
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
+import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
+
+from DataFlow::Node sink
+where sink instanceof SqlInjection::Sink or sink instanceof NosqlInjection::Sink
+select sink, "Possible SQL Injection sink"