Unsanitized user input in SQL query

• Rule ID: java_lang_sqli
• Languages: java
• Source: sqli.yml

Description

Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.

Remediations

❌ Avoid raw queries, especially those that contain unsanitized user input:

  Statement stmt = conn.createStatement();
  ResultSet rs = stmt.executeQuery("select name from users where id='"+ uri.getQueryParameter("user_id") "'")) {

✅ Instead of using dynamically crafted strings for your SQL queries, use prepared statements instead

myStmt = myCon.prepareStatement("select * from students where age > ? and name = ?");
myStmt.setInt(1, uri.getQueryParameter("age"));
myStmt.setString(2, uri.getQueryParameter("name"));

Resources

• OWASP SQL injection explained
• OWASP SQL injection prevention cheat sheet

Associated CWE

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_sqli

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_sqli