SQL INJECTION

Feature Value
Type Detection/Protection
Risk OWASP A1
Covered by Agent/Library

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.

A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shut down the DBMS), recover the content of a given file present on the DBMS file system and in some cases, issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands.

More information

How to solve it

Make sure that you never use string concatenation with user-controlled input straight in the SQL query and that you are using parameterized queries all the way. Any ORM libraries (Hibernate...) have already taken this into account. If you are working with raw JDBC, you need to ensure that you set user-controlled input using PreparedStatement instead of Statement.

Example:

String selectSQL = "SELECT USER_ID, USERNAME FROM DBUSER WHERE USER_ID = ?";
PreparedStatement preparedStatement = dbConnection.prepareStatement(selectSQL);
preparedStatement.setInt(1, 1001);
ResultSet rs = preparedStatement.executeQuery(selectSQL);
while (rs.next()) {
    String userid = rs.getString("USER_ID");
    String username = rs.getString("USERNAME");
}