Potential injection (custom)
Bug Pattern: CUSTOM_INJECTION
The method identified is susceptible to injection. The input should be validated and properly escaped.
Vulnerable code samples:
SqlUtil.execQuery("select * from UserEntity t where id = " + parameterInput);
Refer to the online wiki for detailed instructions on how to configure custom signatures.
References
WASC-19: SQL Injection
OWASP: Top 10 2013-A1-Injection
OWASP: SQL Injection Prevention Cheat Sheet
OWASP: Query Parameterization Cheat Sheet
CAPEC-66: SQL Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)