SQL Injection from User-Controlled Query String
Description
The code is vulnerable to SQL injection because user input is used to dynamically construct SQL queries. This can lead to unauthorized access, data tampering, or other malicious activities.
Examples
Insecure Code
python
from flask import request
@app.route('/users/<username>')
def show_user_profile(username):
query = "SELECT * FROM users WHERE name = '" + username + "'"
cursor.execute(query)Secure Code
python
from flask import request
from sqlalchemy import text
@app.route('/users/<username>')
def show_user_profile(username):
query = text("SELECT * FROM users WHERE name = :username")
result = cursor.execute(query, {'username': username})Remediation
Use parameterized queries or Object-Relational Mappers (ORMs) to avoid injection risks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0809 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-89 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | SQL Injection, User Input |
| OWASP | A03:2021-Injection |