sql injection: sink as class predicate

SqlInjection.ql

@@ -13,6 +13,7 @@ class SqliFlowConfig extends TaintTracking::Configuration {
     SqliFlowConfig() { this = "SqliFlow" }
 
     override predicate isSource(DataFlow::Node source) {
+        // count = read(STDIN_FILENO, buf, BUFSIZE);
         exists(FunctionCall read |
             read.getTarget().getName() = "read" and
             read.getArgument(1) = source.asExpr()
@@ -23,13 +24,18 @@ class SqliFlowConfig extends TaintTracking::Configuration {
 
     override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
 
-    override predicate isSink(DataFlow::Node sink) { any() }
+    override predicate isSink(DataFlow::Node sink) {
+        // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
+        exists(FunctionCall exec |
+            exec.getTarget().getName() = "sqlite3_exec" and
+            exec.getArgument(1) = sink.asExpr()
+        )
+    }
 }
 
 // from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
 // where conf.hasFlowPath(source, sink)
 // select sink, source, sink, "Possible SQL injection"
-
 // Sink identification
 // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
 from FunctionCall exec, DataFlow::Node sink