diff --git a/javascript/express/security/injection/tainted-sql-string.js b/javascript/express/security/injection/tainted-sql-string.js
index ecc8b6cb5c..e6c9337fd6 100644
--- a/javascript/express/security/injection/tainted-sql-string.js
+++ b/javascript/express/security/injection/tainted-sql-string.js
@@ -41,6 +41,20 @@ app.get('/test4', (req, res) => {
   res.send(results)
 })
 
+app.get('/test5', (req, res) => {
+  // ruleid: tainted-sql-string
+  const query = util.format("UPDATE User SET name = '' WHERE id = '%s'", req.query.message)
+  const [results, metadata] = await sequelize.query(query);
+  res.send(results)
+})
+
+app.get('/test6', (req, res) => {
+    // ruleid: tainted-sql-string
+    const query = util.format("UPDATE %s SET name = '' WHERE id = 0", req.query.table)
+    const [results, metadata] = await sequelize.query(query);
+    res.send(results)
+  })
+
 app.get('/ok', async (req, res) => {
     // ok: tainted-sql-string
     res.send("message: " + req.query.message);
@@ -64,4 +78,10 @@ app.post('/ok4', async (req, res) => {
     res.send(data);
 })
 
+app.post('/ok5', async (req, res) => {
+    // ok: tainted-sql-string
+    var data = "This is an update message: " + req.query.message
+    res.send(data);
+})
+
 app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))
diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml
index 6f16c720ab..cc6536d2b4 100644
--- a/javascript/express/security/injection/tainted-sql-string.yaml
+++ b/javascript/express/security/injection/tainted-sql-string.yaml
@@ -70,5 +70,5 @@ rules:
               `$SQLSTR${$EXPR}...`
         - metavariable-regex:
             metavariable: $SQLSTR
-            regex: .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.*
+            regex: .*\b(?i)(select|delete|insert|create|update\s+.+\sset|alter|drop)\b.*
     - focus-metavariable: $EXPR