Unsanitized external input in SQL query

Overview

Rule ID: java_lang_sqli
Applicable Languages: Java
Weakness ID: CWE-89

Description

Using unsanitized data, such as user input, request data, or any externally influenced data in SQL queries exposes your application to SQL injection attacks. This vulnerability occurs when external data is directly incorporated into SQL statements without adequate sanitization, enabling attackers to manipulate queries and potentially access or alter data.

Remediation Guidelines

Avoid including unsanitized input in SQL queries, as this can lead to SQL injection vulnerabilities.

Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select name from users where id='" + uri.getQueryParameter("user_id") + "'"));

Use prepared statements to safely incorporate external input into SQL queries.

PreparedStatement myStmt = myCon.prepareStatement("select * from students where age > ? and name = ?");
myStmt.setInt(1, uri.getQueryParameter("age"));
myStmt.setString(2, uri.getQueryParameter("name"));

References

Configuration

PreviousPossible HTTP Parameter Pollution detected NextUnsanitized use of FileUpload filename

Last updated 9 months ago