Unsanitized user input in SQL query detected.

  • Rule ID: java_lang_sqli
  • Languages: java
  • Source: sqli.yml

Description

Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.

Remediations

❌ Avoid raw queries, especially those that contain unsanitized user input:

  Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select name from users where id='"+ uri.getQueryParameter("user_id") "'")) {

✅ Instead of using dynamically crafted strings for your SQL queries, use prepared statements instead

myStmt = myCon.prepareStatement("select * from students where age > ? and name = ?");
myStmt.setInt(1, uri.getQueryParameter("age"));
myStmt.setString(2, uri.getQueryParameter("name"));

Resources

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.