SQL Injection
Description
The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.
Examples
Insecure Code
kotlin
String query = "SELECT * FROM users WHERE name = '" + username + "'";Secure Code
kotlin
String query = "SELECT * FROM users WHERE name = ?"; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, username);Remediation
Use prepared statements with bind variables to prevent SQL injection.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0324 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-89 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | sql-injection, prepared-statement |
| OWASP | A1:2017-Injection, A03:2021-Injection |