SQL Injection Vulnerability
Description
The method identified is susceptible to injection. The input should be validated and properly escaped. This vulnerability occurs when user-controlled input is not properly sanitized and is used to construct SQL queries, allowing an attacker to inject malicious SQL code.
Examples
Insecure Code
scala
def queryDB(sql: String) = {
val query = "SELECT * FROM users WHERE name = " + sql
// execute query
}Secure Code
scala
def queryDB(sql: String) = {
val query = "SELECT * FROM users WHERE name = ?"
// execute query with parameterized input
}Remediation
Validate and escape user-controlled input used in SQL queries. Consider using parameterized queries or prepared statements to prevent injection attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0044 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-89 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | sql, injection |
| OWASP | N/A |