Unsanitized external input in SQL query

Overview

• Rule ID: java_lang_sqli

• Applicable Languages: Java

• Weakness ID: CWE-89

Description

Using unsanitized data, such as user input, request data, or any externally influenced data in SQL queries exposes your application to SQL injection attacks. This vulnerability occurs when external data is directly incorporated into SQL statements without adequate sanitization, enabling attackers to manipulate queries and potentially access or alter data.

Remediation Guidelines

• Avoid including unsanitized input in SQL queries, as this can lead to SQL injection vulnerabilities.

  Copy

  Statement stmt = conn.createStatement();
  ResultSet rs = stmt.executeQuery("select name from users where id='" + uri.getQueryParameter("user_id") + "'"));
  

• Use prepared statements to safely incorporate external input into SQL queries.

  Copy

  PreparedStatement myStmt = myCon.prepareStatement("select * from students where age > ? and name = ?");
  myStmt.setInt(1, uri.getQueryParameter("age"));
  myStmt.setString(2, uri.getQueryParameter("name"));

References

• OWASP SQL injection explained

• OWASP SQL injection prevention cheat sheet

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') OWASP Top 10

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL