Unsanitized user input in SQL query

  • Rule ID: java_spring_sqli
  • Languages: java
  • Source: sqli.yml


Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.


❌ Avoid raw queries, especially those that contain unsanitized user input:

  String query = "update user set name='"+uri.getQueryParameter("name")+"' where id='"+uri.getQueryParameter("userId")+"'";
return jdbcTemplate.update(query);

✅ Use PreparedStatement creators and setters to construct SQL queries

new PreparedStatementCreator() {
public PreparedStatement createPreparedStatement(Connection conn) throws SQLException {
String updateString = "update user set name = ? where id = ?";
return conn.prepareStatement(updateString);

new PreparedStatementSetter() {
public void setValues(PreparedStatement preparedStatement) throws SQLException {
preparedStatement.setString(1, uri.getQueryParameter("name"))
preparedStatement.setInt(2, uri.getQueryParameter("userId"))


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_spring_sqli

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_spring_sqli