Sensei Logo Sensei Hub

Recipe - Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter

Description:
Could lead to JDBC Injection
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • Spring Data
  • framework specific
  • injection
  • SQL
  • OWASP Top 10
Documentation

Abstract

Secure coding practices prescribe that variables should be bound in prepared statements to mitigate the risk of SQL Injections.

Description

Input values in SQL queries can not be simply concatenated. Instead parameterized queries should be used.

Class information:

package org.springframework.jdbc.core.JdbcTemplate
    query
    queryForMap
    queryForObject
    queryForRowset
Use these functions as follows.

Correct code example:

JdbcTemplate jdbc = new JdbcTemplate();
int count = jdbc.queryForObject("select count(*) from Users where name = ?", Integer.class, paramName);
Recipe
id: scw:spring:jdbc:JdbcOperations-single-parameter
version: 10
metadata:
  name: 'Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter'
  shortDescription: Could lead to JDBC Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:sql
  enabled: true
  descriptionFile: descriptions/InputValidationAvoidJDBCInjectionBindvariablesinpreparedstatements.html
  tags: Spring;security;Spring Data;framework specific;injection;SQL;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    argCount: 1
    name:
      matches: queryForList|queryForMap|queryForRowSet|update|batchUpdate
    declaration:
      type: org.springframework.jdbc.core.JdbcOperations
availableFixes:
- name: Use parameterized queries
  actions:
  - parameterize:
      placeholderFormat: '?'
      extractUntrustedInput:
        array:
          type: java.lang.String[]
          atArgumentPosition: 2