Unsanitized user input in SQL query detected.
- Rule ID: java_lang_sqli
- Languages: java
- Source: sqli.yml
Description
Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.
Remediations
❌ Avoid raw queries, especially those that contain unsanitized user input:
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select name from users where id='"+ uri.getQueryParameter("user_id") "'")) {
✅ Instead of using dynamically crafted strings for your SQL queries, use prepared statements instead
myStmt = myCon.prepareStatement("select * from students where age > ? and name = ?");
myStmt.setInt(1, uri.getQueryParameter("age"));
myStmt.setString(2, uri.getQueryParameter("name"));
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=java_lang_sqli
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=java_lang_sqli
Ready to take the next step? Learn more about Bearer Cloud.