Potential injection (custom)

Bug Pattern: CUSTOM_INJECTION

The method identified is susceptible to injection. The input should be validated and properly escaped.

Vulnerable code samples:

  1. SqlUtil.execQuery("select * from UserEntity t where id = " + parameterInput);

Refer to the online wiki for detailed instructions on how to configure custom signatures.

References
WASC-19: SQL Injection
OWASP: Top 10 2013-A1-Injection
OWASP: SQL Injection Prevention Cheat Sheet
OWASP: Query Parameterization Cheat Sheet
CAPEC-66: SQL Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)