Potential SQL Injection
Bug Pattern: SQL_INJECTION
The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, each parameter can be escaped manually.
Vulnerable Code:
createQuery("select * from User where id = '"+inputId+"'");
Solution:
import org.owasp.esapi.Encoder;createQuery("select * from User where id = '"+Encoder.encodeForSQL(inputId)+"'");
References (SQL injection)
WASC-19: SQL Injection
CAPEC-66: SQL Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP: Top 10 2013-A1-Injection
OWASP: SQL Injection Prevention Cheat Sheet
OWASP: Query Parameterization Cheat Sheet
若有收获,就点个赞吧
0 人点赞
