SQL Injection
Description
It is possible to execute arbitrary SQL commands on the target application server’s backend database. SQL Injection is a critical vulnerability that can lead to a data or system compromise.
Remediation
Always use parameterized queries when issuing requests to backend database systems. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.
For example, some database drivers do not allow parameterized queries for >
or <
comparison
operators. In these cases, do not use a user supplied >
or <
value, but rather have the user
supply a gt
or lt
value. The alphabetical values are then used to look up the >
and <
values to be used in the construction of the dynamic query. The same goes for other queries where
column or table names are required but can not be parameterized.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
89.1 | false | 89 | Active | high |