SQL Injection via Improper Neutralization of Special Elements
Description
SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.
Examples
Insecure Code
python
$X.objects.extra(where=['id=%s' % user_input])Secure Code
python
for obj in DBObject.objects.all().annotate(val=RawSQL(sql="select id from some_secondary_table where id=%s", params=[user_supplied_id])):Remediation
Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key. Consider using the `RawSQL` method and making sure that all arguments, including user-supplied ones, are only used in `params`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0141 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-89 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | sql-injection, parameterized-queries |
| OWASP | A1:2017-Injection, A03:2021-Injection |