SQL Injection
Description
The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.
Examples
Insecure Code
scala
val query = "SELECT * FROM users WHERE name = '" + username + "'"Secure Code
scala
val query = "SELECT * FROM users WHERE name = ?"; val pstmt = connection.prepareStatement(query); pstmt.setString(1, username)Remediation
Use prepared statements with bind variables to prevent SQL injection attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0054 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-89 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | sql-injection, prepared-statement |
| OWASP | A1:2017-Injection, A03:2021-Injection |